cotonete213

Olá pessoal. Venho tendo dois tipos de problemas com meu pc. nao sei se a causa de ambos é comum, ou se são várias causas. um dos problemas, não consigo acessar sites de anti-virus, nem o site da microsoft. falaram que poderia ser Conficker. Aconselharam, antes de mais nada, fazer um log no hijack this e postar aqui. e é o que estou fazendo.
O Outro problema, meu pc anda muito, muito lento. Não entendo. Por exemplo. ao carregar uma nova pagina na internet, como exemplo abrir um topico no orkut. coisas simples assim, usa 100% da cpu. se tiver duas paginas da internet entao, enquanto as duas nao estiverem carregadas, mal da pra respirar. não é problema da internet, downloads estao rapidos, normais, velox de 2 mb (foi epoca q era top). pra ver video no youtube, não dá, não tem como. é um inferno. todos, eu disse todos, os videos da internet, até imagem gif trava, engasga. nem sequer a um nivel aceitavel fica. mas eu reparei que a imagem do video esgasga, mas o audio não. ao ver meu pc, percebi que a placa de vídeo estava muito quente, o que pode ser uma causa dessa imagem engasgar, mas esse é um, apenas um, dos casos de lentidao. jogar qualquer coisa vem se tornando inviável, e eu me responsabilizo, até pq esperei chegar a um estado insustentável pra pedir ajuda. enfim, venho aki até vocês pedir ajuda. Lógico que se o problema nao for virus, for hardware ou qlqer outra coisa, nao vou pedir a vcs aki, pq tem sala pra isso, mas se puderem pelo menos me dar uma ideia do q pode ser, se nao virus, ficaria agradecido.

antes de mais nada, um abraço a todos, e obrigado

segue o log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:43:30, on 4/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Arquivos de programas\Windows Live\Toolbar\wltuser.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askR...25&gct=&gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askR...25&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askR...gct=&gc=1&q=%s
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Arquivos de programas\AskSearch\bin\DefaultSearch.dll (file missing)
F3 - REG:win.ini: load=C:\WINDOWS\system32\{HCQ9D-TVCWX-X9QRG-J4B2Y-GR2TT-CM3HY-26VYW-6JRYC-X66GX-JVY2D}.vbs
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10990D5B-D686-4CD2-81EB-C7540450A1BA} - C:\WINDOWS\system32\ddcddBsR.dll (file missing)
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Arquivos de programas\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: D - {6B9C1F28-F65C-3152-BACB-4391E195A394} - C:\WINDOWS\system32\wtx69451.dll (file missing)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\ARQUIV~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {78FE2992-05C3-4B43-A760-0E04F277F131} - C:\WINDOWS\system32\nnnmkLBR.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\ARQUIV~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {A057A204-BACC-4D26-9F9D-3BEFCFBE6E86} - (no file)
O2 - BHO: {53ae7378-02e1-fada-9714-d187182fe14a} - {a41ef281-781d-4179-adaf-1e208737ea35} - C:\WINDOWS\system32\nndvya.dll (file missing)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.d ll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\system32\sortst.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\ARQUIV~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: (no name) - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - (no file)
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9F9D-3BEFCFBE6E86} - (no file)
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - (no file)
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Arquivos de programas\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 9.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft WinUpdate] C:\WINDOWS\system32\msupdte.exe
O4 - HKLM\..\Run: [e084ac37] rundll32.exe "C:\WINDOWS\system32\qhenvaxx.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARQUIV~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BMe3b79fab] Rundll32.exe "C:\WINDOWS\system32\urrlblqe.dll",s
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [RemoteControl8] "C:\Arquivos de programas\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD8\Language\Language.ex e"
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [msnmsgrs] C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\msrgr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [XP-6C3862C0] C:\WINDOWS\system32\XP-6C3862C0.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NitroPC] "C:\Arquivos de programas\NitroPC\NitroPC.exe" -minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Avi Player] "C:\Arquivos de programas\Avi Player\AviPlayer.exe" hmw
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ¡¡¡¡¡¡.lnk = C:\WINDOWS\system32\XP-6C3862C0.EXE
O4 - Global Startup: msrgr.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Software Kodak EasyShare.lnk = C:\Arquivos de programas\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Arquivos de programas\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Arquivos de programas\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Arquivos de programas\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} (UploadListView Class) - http://picasaweb.google.com/s/v/57.11/uploader2.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/45.19/uploader2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1214608929109
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01...l/MSNPUpld.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARQUIV~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: GbiehCef - C:\WINDOWS\
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: ddcddBsR - ddcddBsR.dll (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Arquivos de programas\Arquivos comuns\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 12471 bytes

Djoni Filho

Boa tarde, cotonete213.

Por gentileza, siga os procedimentos abaixo:
Fico no aguardo

__________________
Ubuntu 9.10. Linux user #502951
Mozilla Firefox user. Version 3.5
GdH user. 3 anos. GeeK

cotonete213

amigo, esse nao foi.

acontece a msm coisa q os sites de antivirus e o da microsoft.
nao abre. tentei abrir agora, nao foi.

nao sei como, mas o unico q foi, foi o hijack,

n tem como tu analisar por ele nao?

abraços

Djoni Filho

O malwarebyte's iria tirar justamente os malwares detectados no log do hijackthis.

Vamos fazer uns testes..
1. Acesse esse site:
http://www.confickerworkinggroup.org...feyechart.html

Aparecem 6 imagens. 3 em cima, 3 embaixo. Me diga quais voce viu.


2. Vá em iniciar > executar, digite regedit e dê enter. O registro apareceu ou deu erro?

3. Dê ctrl+alt+del. O gerenciador de tarefas apareceu?

4. Vá em iniciar > configurações > painel de controle. O painel de controle apareceu?

5. Vá em iniciar > executar, digite cmd e dê enter. Apareceu o prompt de comando?

__________________
Ubuntu 9.10. Linux user #502951
Mozilla Firefox user. Version 3.5
GdH user. 3 anos. GeeK

cotonete213

Desculpe a demora, mas eh que meu pc travou no meio do processo. alias isso foi bom pq lembrei de um problema que havia eskecido.

Sempre que eu nao estou ativo, estou lendo um texto, escrevendo um tpc no orkut ou aki msm, ou ate jogando, nao sei explicar, mas sempre q eu nao to usando o desktop e tals, meu pc trava. ele nao abre nada, simplesmente nada. se eu vo beber uma agua, ou se eu deixo ele fazendo um download de madrugada, nao interessa, qualquer 10 minutos q eu n estiver usando ele propriamente dito, ou estiver jogando, ele nao abre mais nada. ae eu abro meus documentos, da um tal de Browser Helper Object. ae pronto. Nem desligar o pc desliga. tem de desligar na tomada (sei q eh perigosissimo mas n tem outro jeito). As vezes esse B.H.Object nao aparece, mas ele trava do msm jeito. assim, ele nao trava, se utiver um video carregado no youtube, ou o wmplayaer com um video, ou um jogo aberto, eu consigo utiliza-lo normalmente. no jogo n tem mt influencia. mas eu n consigo carregar outro video no youtube nem abrir outro arquivo no wmplayer. enfim, ele trava.

mas vamos l[a.

Passo 1 - As imagens ficaram assim?

X - Secure Works - X
Baiacu - Pinguim do Linux - Diabinho Vermelho

Ou Seja, F-Secures e TRendmicro Inacessiveis, Indisponiveis
O resto, OK.

na tabela, deu isso:

= Possibly Infected by Conficker A/B variant

Passo 2 - Abriu Normalmente

mas, como eu citei acima, nao sei se por coincidencia, apos abrir, com exito, o editor de registros, eu n consegui mais fazer nada, e por isso n consegui enviar a resposta. mas abrir, ele abriu normalmente.

por isso parei no passo 2

n vo abrir ele denovo por receio de travar o pc e eu n conseguir postar.

abrir o gerenciador de tarefas, ele abre normalmente, na verdade eu n uso pelo ctrl+alt+del, eu uso pela barra do menu iniciar.

agora eu n sei se a inten;'ao era fazer o passo a passo em sequencia, pq, individualmente, todos abrem, painel de controle, prompt de comando. eu os fiz em sequencia, mas pulei o passo 2 por receio de travar. ele abriu tds, mas teve esse empecilho, n sei se por coincidencia.

o detalhe eh q, como eu disse, nao abre nada. dps q travo, n abriu nenhum dos passos, assim como clicar em qlqer link, tipo "enviar resposta" era simplesmente inutil.

depois vo testar fazer do passo 1 ao 5 em sequencia, mas pra conseguir postar, preferi pular o dois.

Pelo visto, devo estar com conficker A/B, mas n tenho ideia da gravidade disso.

dps vo postar um novo log do hjack this, pq eu normalmente fecho quase todos os processos q se podem fechar, sejam eles do Usuario, do System ou Local/Network Service. Deixando aberto apenas os Svchost, pq se fechar, desliga o pc.

enfim, eh isso, espero q possa me ajudar

desde ja muito obrigado, e, teria alguma solucao pro malware...

e desculpe a acentuacao e cedilha, n sei q besteira q eu clickei q desativo o ABNT 2 mas ja vo resolver ja.

abracos

Wolf-7x

faça o download do aplicativo abaixo:

http://www.grisoft.cz/filedir/util/a...ir/rmdndup.exe

* Reinicie o seu pc em modo de segurança e execute-o

* após executar o procedimento acima., tente efetuar o download do malwarebytes

* aguarde novas orientações do Djoni Filho

__________________

* Até Maio.... estarei menos presente no GDH......
-- Acessos esporádicos --

cotonete213

obrigado wolf09, vo fazer isso agora

cotonete213

Nao consegui abrir esse tambem. da a msm coisa de sempre.

nem esse, nem o malware, nada abre

n seria interessante algum dos amigos uparem o malware pra mim? num rapidshare, 4shared da vida, tanto faz qual q n so assinante de nenhum

pq, se n for assim, acho q n vo conseguir fazer o download

abracos

Wings

Boa noite cotonete213

Darei uma mão rápida ao seu problema. Depois o pessoal continuará com a remoção dos demais problemas.

1.
*Desative a Restauração do Sistema

2.
*Baixe a atualização KB958644 e salve-a no desktop
*Instale-a. Caso seu Windows informe que a versão presente no seu PC é mais atual, cancele a instalação da atualização e siga para o passo seguinte.

3.
*Baixe o KK e salve-o no desktop
*Extraia o seu conteúdo para C:\
*Desative temporariamente seu antivírus

*Clique em [Iniciar] > [Executar] > digite C:\kk.exe -x -y -l conficker.txt -v
*Clique OK e aguarde o término do scan. O programa será fechado automaticamente.
*Cole o relatório criado em C:\conficker.txt

__________________

cotonete213

*como ativa/desativa restauracao de sismema?

gente, site da microsoft, e de antivirus, n tah entrando, n adinta arrumar solucao por ai que fica inacessivel pra mim. a menos que alguem upe um programa num 4shared, rapidshare da vida, eu, ou vou ficar sem ter o q fazer, ou vou ter q formatar o pc. mas n quero, nem quero nem posso.

nao tem nenhuma solucao sem ser por microsoft? agradeco desde ja

Wings

Os links foram modificados...pode baixar o que foi solicitado.

Para desativar a Restauração do Sistema:

Boa sorte..

__________________

Djoni Filho

O malwarebyte's numa hora dessas é inútil. Siga os procedimentos do Wings. Cso de conficker é coisa séria. Fico no aguardo.

__________________
Ubuntu 9.10. Linux user #502951
Mozilla Firefox user. Version 3.5
GdH user. 3 anos. GeeK

cotonete213

deu conficker, mas eu n consigo postar o relatorio. meu pc tah tao lento q a eu fiz o relatorio 22:15 e ateh agora nao colo na pagina...

Djoni Filho

Não é que o seu pc esteja lento. O relatório é que é gigante mesmo. Diga apenas um resumo. Se por acaso o kidokiller encontrou algo e se removeu.

__________________
Ubuntu 9.10. Linux user #502951
Mozilla Firefox user. Version 3.5
GdH user. 3 anos. GeeK

cotonete213

Sim, encontrou 1 caso, e curou.
mas n tem mais nd de relevante no relatorio nao?
mas pelo menos, encontro

e ae?

Wings

Veja se consegue baixar o Malwarebytes e seguir as orientações já postadas.

__________________

cotonete213

ok, vou fazer isso agora!

bom, galera, passei o malwarebytes, levou quase 2 horas, e achou coisa demais, e pediu pra reiniciar sim. logo apos reiniciar, fiz o log do hijackthis denovo, e vo postar os dois aki agora...

Segue o Relatório do Malwarebytes:

Malwarebytes' Anti-Malware 1.42
Versão do banco de dados: 3297
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
5/12/2009 02:05:47
mbam-log-2009-12-05 (02-05-47).txt
Tipo de Verificação: Completa (C:\|)
Objetos verificados: 261572
Tempo decorrido: 1 hour(s), 39 minute(s), 33 second(s)
Processos da Memória infectados: 0
Módulos de Memória Infectados: 1
Chaves do Registro infectadas: 31
Valores do Registro infectados: 7
Ítens do Registro infectados: 0
Pastas infectadas: 1
Arquivos infectados: 45
Processos da Memória infectados:
(Nenhum ítem malicioso foi detectado)
Módulos de Memória Infectados:
C:\WINDOWS\system32\sortst.dll (Trojan.Banker) -> Delete on reboot.
Chaves do Registro infectadas:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{10990d5b-d686-4cd2-81eb-c7540450a1ba} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddcddbsr (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{10990d5b-d686-4cd2-81eb-c7540450a1ba} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{a41ef281-781d-4179-adaf-1e208737ea35} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a41ef281-781d-4179-adaf-1e208737ea35} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{6b9c1f28-f65c-3152-bacb-4391e195a394} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6b9c1f28-f65c-3152-bacb-4391e195a394} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{fcaddc14-bd46-408a-9842-cdbe1c6d37eb} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fcaddc14-bd46-408a-9842-cdbe1c6d37eb} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{fcaddc14-bd46-408a-9842-cdbe1c6d37eb} (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\experthelper.pornpro_bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\experthelper.pornpro_bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{eb6ec5d7-7d19-a8c7-d607-f0993bf94a9f} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{10990d5b-d686-4cd2-81eb-c7540450a1ba} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Settings\{eb6ec5d7-7d19-a8c7-d607-f0993bf94a9f} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{bf1db349-7ba4-3b56-a029-fd51c61219e7} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e7e65a98-0780-3dee-a347-37207091d986} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ae5619ca-d637-3a0e-b048-83627b096d00} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Explorer (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\msnmsgrs (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\PlayMP3 (Adware.PLayMP3z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvid er (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MSFox (Trojan.Agent) -> Quarantined and deleted successfully.
Valores do Registro infectados:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\e084ac37 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\bme3b79fab (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{10990d5b-d686-4cd2-81eb-c7540450a1ba} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\microsoft winupdate (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\w32id (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\xml2u (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\xp-6c3862c0 (Trojan.Agent) -> Quarantined and deleted successfully.
Ítens do Registro infectados:
(Nenhum ítem malicioso foi detectado)
Pastas infectadas:
C:\Documents and Settings\PAULO\Configurações locais\Temp\E_4 (Worm.AutoRun) -> Delete on reboot.
Arquivos infectados:
C:\WINDOWS\system32\ddcddBsR.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nndvya.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sortst.dll (Trojan.BHO.H) -> Delete on reboot.
C:\Arquivos de programas\Internet Explorer\dll.exe (Trojan.Banker) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7a9cd3.exe (Trojan.Siggen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\8X-DB8CE.EXE (Trojan.Siggen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tx69451.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\N2-D20C5.EXE (Trojan.Flystudio) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wr97477.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\javaplugt.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\W8-943F9.EXE (Trojan.Flystudio) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msrgr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ZOON-86A.EXE (Trojan.Flystudio) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ZOOP-86A.EXE (Trojan.Flystudio) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xwr97477.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\PAULO\Configurações locais\Temp\E_4\com.run (Worm.AutoRun) -> Delete on reboot.
C:\Documents and Settings\PAULO\Configurações locais\Temp\E_4\dp1.fne (Worm.AutoRun) -> Delete on reboot.
C:\Documents and Settings\PAULO\Configurações locais\Temp\E_4\eAPI.fne (Worm.AutoRun) -> Delete on reboot.
C:\Documents and Settings\PAULO\Configurações locais\Temp\E_4\internet.fne (Worm.AutoRun) -> Delete on reboot.
C:\Documents and Settings\PAULO\Configurações locais\Temp\E_4\krnln.fnr (Worm.AutoRun) -> Delete on reboot.
C:\Documents and Settings\PAULO\Configurações locais\Temp\E_4\RegEx.fnr (Worm.AutoRun) -> Delete on reboot.
C:\Documents and Settings\PAULO\Configurações locais\Temp\E_4\shell.fne (Worm.AutoRun) -> Delete on reboot.
C:\Documents and Settings\PAULO\Configurações locais\Temp\E_4\spec.fne (Worm.AutoRun) -> Delete on reboot.
C:\WINDOWS\system32\javaplugs.cpl (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Arquivos de programas\Internet Explorer\javawins.exe (Trojan.Banker) -> Quarantined and deleted successfully.
C:\Arquivos de programas\Internet Explorer\javawisx.exe (Trojan.Banker) -> Quarantined and deleted successfully.
C:\Documents and Settings\PAULO\Menu Iniciar\Programas\Inicializar\¡¡¡¡¡¡.lnk (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\com.run (Trojan.Banker) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dp1.fne (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eAPI.fne (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\internet.fne (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\krnln.fnr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msupdte.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\og.dll (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\og.EDT (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\RegEx.fnr (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\shell.fne (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spec.fne (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ul.dll (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\BMe3b79fab.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMe3b79fab.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\winmem.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\XP-6C3862C0.EXE (Trojan.Agent) -> Delete on reboot.
_____________________________

Segue o Relatório do HijackThis pós Malwarebytes:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:13:54, on 5/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\ARQUIV~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\ARQUIV~1\AVG\AVG8\avgtray.exe
C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\msrgr.exe
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMBgMonitor.exe
C:\Arquivos de programas\SEC\Natural Color\NaturalColorLoad.exe
C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe
C:\Arquivos de programas\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe
C:\Arquivos de programas\Windows Desktop Search\WindowsSearch.exe
C:\Arquivos de programas\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askR...25&gct=&gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askR...25&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askR...gct=&gc=1&q=%s
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Arquivos de programas\AskSearch\bin\DefaultSearch.dll (file missing)
F3 - REG:win.ini: load=C:\WINDOWS\system32\{HCQ9D-TVCWX-X9QRG-J4B2Y-GR2TT-CM3HY-26VYW-6JRYC-X66GX-JVY2D}.vbs
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10990D5B-D686-4CD2-81EB-C7540450A1BA} - (no file)
O2 - BHO: (no name) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Arquivos de programas\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {6B9C1F28-F65C-3152-BACB-4391E195A394} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\ARQUIV~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {78FE2992-05C3-4B43-A760-0E04F277F131} - C:\WINDOWS\system32\nnnmkLBR.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\ARQUIV~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {A057A204-BACC-4D26-9F9D-3BEFCFBE6E86} - (no file)
O2 - BHO: (no name) - {a41ef281-781d-4179-adaf-1e208737ea35} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.d ll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\ARQUIV~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: (no name) - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - (no file)
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9F9D-3BEFCFBE6E86} - (no file)
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - (no file)
O3 - Toolbar: (no name) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Arquivos de programas\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 9.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARQUIV~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [RemoteControl8] "C:\Arquivos de programas\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD8\Language\Language.ex e"
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [msnmsgrs] C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\msrgr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NitroPC] "C:\Arquivos de programas\NitroPC\NitroPC.exe" -minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Avi Player] "C:\Arquivos de programas\Avi Player\AviPlayer.exe" hmw
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: msrgr.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Software Kodak EasyShare.lnk = C:\Arquivos de programas\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Arquivos de programas\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Arquivos de programas\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Arquivos de programas\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} (UploadListView Class) - http://picasaweb.google.com/s/v/57.11/uploader2.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/45.19/uploader2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1214608929109
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01...l/MSNPUpld.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARQUIV~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: GbiehCef - C:\WINDOWS\
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: ddcddBsR - C:\WINDOWS\
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Arquivos de programas\Arquivos comuns\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 13149 bytes
____________________________

pronto pessoal, fiz todos os passos que me foram sugeridos.
no aguardo de novas orientações. agradeço à todos.

ps: um dos problemas ja foi solucionado, agora consigo acessar livremente nao só o site da microsoft como os sites de anti-virus. fui no http://www.confickerworkinggroup.org...feyechart.html
denovo, e obtive a satisfação. apareceram todas as 6 imagens, nao to mais com o conficker.

no aguardo agora de conseguir solucionar o resto dos problemas (ainda nao testei com jogos ou videos como o pc se comporta)

abraços

Wings

Bom dia cotonete213

1.
*Delete os arquivos C:\KK.exe e C:\conficker.txt

2.
*Delete a atualização kb958644

3.
*Abra o programa Malwarebytes e na aba [Quarentena], selecione todos os resultados e clique em [Remover tudo]
*Clique na aba [Logs], selecione o relatório e clique em [Remover]

4.
5.
*Execute o hijack, clique em [Do a system scan only], selecione as entradas abaixo e clique em [Fix checked]

*Feche o hijack

6.
*Desative temporariamente seu antivírus

*Baixe o ComboFix e salve-o no desktop
*Duplo-clique no arquivo Combofix.exe
*Aceite o contrato



*Se o console de recuperação do Windows já estiver instalado, o ComboFix irá continuar o processo automaticamente. Caso não esteja uma janela, conforme abaixo, será aberta. Aceite a instalação do mesmo.



*Após a instalação, clique em [Sim] para continuar.



*Importante: enquanto o ComboFix estiver em execução, não use o mouse nem o teclado!!..... Para interromper o procedimento tecle N ou 2 e depois ENTER.

*O programa será fechado automaticamente

*Cole o relatório criado em C:\combofix.txt

__________________

cotonete213

Pronto, tudo feito, cá esta o relatorio:

ComboFix 09-12-04.05 - PAULO 05/12/2009 15:27.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.1279.854 [GMT -2:00]
Executando de: c:\documents and settings\PAULO\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
c:\arquivos de programas\AVI Codec Pack
c:\arquivos de programas\AVI Codec Pack\ffdhow\ffdshow.ax
c:\arquivos de programas\AVI Codec Pack\ffdhow\ffdshow.ax.manifest
c:\arquivos de programas\AVI Codec Pack\ffdhow\libavcodec.dll
c:\arquivos de programas\AVI Codec Pack\ffdhow\libmpeg2_ff.dll
c:\arquivos de programas\AVI Codec Pack\ffdhow\libmplayer.dll
c:\arquivos de programas\AVI Codec Pack\ffdhow\TomsMoComp_ff.dll
c:\documents and settings\All Users\Dados de aplicativos\Microsoft\WLSetup
c:\documents and settings\All Users\Dados de aplicativos\Microsoft\WLSetup\Logs\2009-03-24_18-35_a08-h3brc0sc.log
c:\windows\svchost
c:\windows\system32\drivers\npf.sys
c:\windows\system32\nod32kut.exe
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\RBLkmnnn.ini
c:\windows\system32\RBLkmnnn.ini2
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\xxavnehq.ini
.
(((((((((((((((( Arquivos/Ficheiros criados de 2009-11-05 to 2009-12-05 ))))))))))))))))))))))))))))
.
2009-12-05 17:55 . 2009-12-05 17:55 -------- d-----w- c:\windows\LastGood
2009-12-05 02:21 . 2009-12-05 02:21 -------- d-----w- c:\documents and settings\PAULO\Dados de aplicativos\Malwarebytes
2009-12-05 02:21 . 2009-12-03 18:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-05 02:21 . 2009-12-05 02:21 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes
2009-12-05 02:21 . 2009-12-05 02:21 -------- d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware
2009-12-05 02:21 . 2009-12-03 18:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-04 19:42 . 2009-12-04 19:42 -------- d-----w- c:\arquivos de programas\Trend Micro
2009-11-23 02:02 . 2009-11-23 02:02 -------- d-----w- c:\windows\system32\XPSViewer
2009-11-23 02:01 . 2009-11-23 02:01 -------- d-----w- C:\dcc0c711670134ae236bb3219d
2009-11-23 02:01 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintpr oc.dll
2009-11-23 02:01 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-23 02:01 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-23 02:01 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-23 02:01 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-11-23 02:01 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-23 02:01 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesv c.exe
2009-11-23 02:01 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfil terpipelinesvc.exe
2009-11-23 01:23 . 2009-11-23 01:23 -------- d-----w- c:\arquivos de programas\Reference Assemblies
2009-11-15 20:05 . 2009-11-15 20:05 -------- d-----w- c:\documents and settings\PAULO\Dados de aplicativos\SolidWorksNewsReader
2009-11-15 19:55 . 2009-11-16 01:12 -------- d-----w- c:\documents and settings\PAULO\Dados de aplicativos\SolidWorks
2009-11-15 19:52 . 2009-11-15 19:52 -------- d-----w- c:\documents and settings\PAULO\Dados de aplicativos\DWGeditor
2009-11-15 19:51 . 2009-11-15 19:51 -------- d-----w- c:\arquivos de programas\DWGeditor
2009-11-15 19:50 . 2009-11-15 19:50 61440 ----a-r- c:\documents and settings\PAULO\Dados de aplicativos\Microsoft\Installer\{26621E14-A45B-45CD-9ED9-7A0A9B585DB4}\NewShortcut1_3668F00AED454A6E8105AD5 B99FD99C6.exe
2009-11-15 19:50 . 2009-11-15 19:50 61440 ----a-r- c:\documents and settings\PAULO\Dados de aplicativos\Microsoft\Installer\{26621E14-A45B-45CD-9ED9-7A0A9B585DB4}\ARPPRODUCTICON.exe
2009-11-15 19:50 . 2009-11-15 19:50 -------- d-----w- c:\arquivos de programas\SolidWorks Installation Manager
2009-11-15 19:49 . 2004-11-05 13:08 670208 ----a-w- c:\windows\system32\drivers\hardlock.sys
2009-11-15 19:45 . 2009-11-15 19:49 -------- d-----w- c:\arquivos de programas\Arquivos comuns\eDrawings2007
2009-11-15 19:40 . 2009-11-15 19:53 -------- d-----w- c:\arquivos de programas\Arquivos comuns\SolidWorks Shared
2009-11-15 19:39 . 2009-11-15 20:04 -------- d-----w- c:\arquivos de programas\SolidWorks
2009-11-15 19:39 . 2009-11-15 19:39 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Solidworks Data
2009-11-15 19:38 . 2009-11-15 19:38 -------- d-----w- c:\documents and settings\PAULO\Dados de aplicativos\Windows Desktop Search
2009-11-15 19:36 . 2009-11-15 19:38 -------- d-----w- c:\arquivos de programas\Windows Desktop Search
2009-11-07 15:35 . 2006-10-26 21:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr .dll
2009-11-07 15:35 . 2006-10-26 21:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2009-11-07 14:27 . 2009-11-07 14:27 -------- d-----w- c:\arquivos de programas\Microsoft Works
2009-11-07 14:27 . 2009-11-23 02:02 -------- d-----w- c:\arquivos de programas\MSBuild
2009-11-07 14:22 . 2009-11-07 14:22 -------- d-----w- c:\arquivos de programas\Microsoft.NET
2009-11-07 14:12 . 2009-11-07 14:12 -------- d-----w- c:\arquivos de programas\Microsoft Visual Studio 8
2009-11-07 14:07 . 2009-11-07 14:07 -------- d-----r- C:\MSOCache
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-12-04 19:13 . 2008-08-13 05:47 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\avg8
2009-11-23 02:03 . 2001-10-28 15:07 79980 ----a-w- c:\windows\system32\perfc016.dat
2009-11-23 02:03 . 2001-10-28 15:07 471022 ----a-w- c:\windows\system32\perfh016.dat
2009-11-19 13:48 . 2008-11-22 16:25 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help
2009-11-18 11:42 . 2008-06-04 00:23 -------- d-----w- c:\documents and settings\PAULO\Dados de aplicativos\LimeWire
2009-11-11 21:40 . 2008-04-07 05:23 26 -c--a-w- c:\windows\popcinfo.dat
2009-11-06 19:41 . 2009-03-02 17:40 -------- d-----w- c:\documents and settings\PAULO\Dados de aplicativos\Sports Interactive
2009-11-04 22:53 . 2009-11-04 22:53 -------- d-----w- c:\arquivos de programas\Sports Interactive
2009-11-04 20:29 . 2008-05-08 23:29 -------- d-----w- c:\documents and settings\PAULO\Dados de aplicativos\uTorrent
2009-11-01 19:35 . 2009-11-01 19:34 -------- d-----w- c:\documents and settings\PAULO\Dados de aplicativos\IM
2009-10-25 03:00 . 2009-10-24 21:23 23040 ----a-w- c:\windows\system32\Q5-CE9D2.EXE
2009-10-24 21:22 . 2009-10-24 21:22 23040 --sh--w- c:\windows\system32\ZOON-56A.EXE
2009-10-10 03:10 . 2009-10-06 05:25 -------- d-----w- c:\arquivos de programas\Mozilla Thunderbird
2009-10-07 02:57 . 2009-10-07 02:57 4948620 ----a-w- c:\arquivos de programas\7.sistema_circulatorio.pdf
2009-10-07 02:42 . 2009-10-07 02:42 426496 ----a-w- c:\arquivos de programas\cardio-1[1].ppt
2009-10-06 14:58 . 2009-10-02 21:21 23040 ----a-w- c:\windows\system32\Z6-5AE35.EXE
2009-10-02 21:21 . 2009-10-02 21:21 23040 --sh--w- c:\windows\system32\WVTUIE5.EXE
2009-10-02 11:52 . 2009-09-26 22:05 23552 ----a-w- c:\windows\system32\W4-021A7.EXE
2009-09-29 01:03 . 2009-09-26 18:59 23040 ----a-w- c:\windows\system32\N2-DCAB0.EXE
2009-09-27 02:49 . 2009-09-27 02:49 152576 ----a-w- c:\documents and settings\PAULO\Dados de aplicativos\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-26 22:05 . 2009-09-26 22:05 23552 --sh--w- c:\windows\system32\ZVTULE6.EXE
2009-09-26 18:59 . 2009-09-26 18:59 23040 --sh--w- c:\windows\system32\LPHULE6.EXE
2009-09-26 03:49 . 2009-09-21 20:36 23552 ----a-w- c:\windows\system32\Z3-CF909.EXE
2009-09-25 20:33 . 2009-09-23 16:44 23040 ------w- c:\windows\system32\Z8-F0568.EXE
2009-09-23 16:44 . 2009-09-23 16:44 23040 --sh--w- c:\windows\system32\H8T3B3.EXE
2009-09-23 13:34 . 2009-09-16 22:49 22016 ----a-w- c:\windows\system32\3N-602ED3.EXE
2009-09-21 20:36 . 2009-09-21 20:36 23552 --sh--w- c:\windows\system32\ZPHULE6.EXE
2009-09-16 22:49 . 2009-09-16 22:49 22016 --sh--w- c:\windows\system32\B62C36.EXE
2009-09-16 05:39 . 2009-09-14 19:18 22016 ----a-w- c:\windows\system32\7G-602ED.EXE
2009-09-15 02:47 . 2009-09-15 02:47 162 ---ha-w- c:\arquivos de programas\~$LA 1_090707.doc
2009-09-14 19:18 . 2009-09-14 19:18 22016 --sh--w- c:\windows\system32\F62C71.EXE
2009-09-14 04:28 . 2009-09-08 22:12 21504 ----a-w- c:\windows\system32\9W-3DC76.EXE
2009-09-13 23:31 . 2009-09-13 23:31 1078 ----a-r- c:\documents and settings\PAULO\Dados de aplicativos\Microsoft\Installer\{FEF07CF4-5834-4AF1-9DEA-9EE94B53C6EB}\_7a5a767d.exe
2009-09-13 23:31 . 2009-09-13 23:31 1078 ----a-r- c:\documents and settings\PAULO\Dados de aplicativos\Microsoft\Installer\{FEF07CF4-5834-4AF1-9DEA-9EE94B53C6EB}\_45091238.exe
2009-09-13 23:31 . 2009-09-13 23:31 1078 ----a-r- c:\documents and settings\PAULO\Dados de aplicativos\Microsoft\Installer\{FEF07CF4-5834-4AF1-9DEA-9EE94B53C6EB}\_3b251e1f.exe
2009-09-08 22:12 . 2009-09-08 22:12 21504 --sh--w- c:\windows\system32\69a8c2.exe
2009-08-18 06:16 . 2009-08-18 06:16 1128960 ----a-w- c:\arquivos de programas\AULA 2_090707.doc
2009-08-18 06:07 . 2009-08-18 06:07 139776 ----a-w- c:\arquivos de programas\AULA 1_090707.doc
.
------- Sigcheck -------
[-] 2009-08-07 . 0DC32D8AACF1BE72A1404CE4C8C67E5B . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\TCPIP.SYS
[-] 2009-08-07 . 0DC32D8AACF1BE72A1404CE4C8C67E5B . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\TCPIP.SYS
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\TCPIP.SYS
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\arquivos de programas\Arquivos comuns\Nero\Lib\NMBgMonitor.exe" [2007-09-20 202024]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86 \3\hpztsb09.exe" [2003-11-07 176128]
"AVG8_TRAY"="c:\arquiv~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-12 7630848]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2006-08-12 86016]
"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NeroFilterCheck"="c:\arquivos de programas\Arquivos comuns\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\arquivos de programas\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"TkBellExe"="c:\arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" [2009-03-25 198160]
"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2008-04-01 53248]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-09-22 90112]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2008-04-01 147456]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-08-12 1519616]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Administrador\Menu Iniciar\Programas\Inicializar\
msrgr.exe [2009-5-27 864256]
c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\
msrgr.exe [2009-5-27 864256]
NaturalColorLoad.lnk - c:\arquivos de programas\SEC\Natural Color\NaturalColorLoad.exe [2008-9-20 155715]
Software Kodak EasyShare.lnk - c:\arquivos de programas\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-4-27 635019]
Windows Desktop Search.lnk - c:\arquivos de programas\Windows Desktop Search\WindowsSearch.exe [2006-3-26 257752]
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\arquivos de programas\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-05 21:24 10520 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=
"c:\\Arquivos de programas\\Outlook Express\\msimn.exe"=
"c:\\Documents and Settings\\All Users\\Dados de aplicativos\\NexonUS\\NGM\\NGM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=
"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\CS4ServiceManager\\CS4ServiceManage r.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Arquivos de programas\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Arquivos de programas\\Sports Interactive\\Football Manager 2010\\fm.exe"=
"c:\\Arquivos de programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Arquivos de programas\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Arquivos de programas\\Microsoft Office\\Office12\\ONENOTE.EXE"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"9784:TCP"= 9784:TCP:unneyqzl
"49152:TCP"= 49152:TCP:µTorrent
"49152:UDP"= 49152:UDP:uTorrent
"57343:TCP"= 57343:TCP:uTorrent
"57343:UDP"= 57343:UDP:uTorrent
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [26/1/2009 15:48 717296]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [13/8/2008 03:47 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [13/8/2008 03:48 107272]
R2 avg8emc;AVG8 E-mail Scanner;c:\arquiv~1\AVG\AVG8\avgemc.exe [13/8/2008 03:47 875288]
R2 avg8wd;AVG8 WatchDog;c:\arquiv~1\AVG\AVG8\avgwdsvc.exe [13/8/2008 03:47 231704]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\arquivos de programas\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [13/8/2009 14:52 26736]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [18/7/2009 17:04 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\dri vers\motccgpfl.sys [18/7/2009 17:04 8320]
S3 sxgkexq;sxgkexq;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 VICHW00;VICHW00;\??\c:\windows\SYSTEM32\DRIVERS\VI CHW00.SYS --> c:\windows\SYSTEM32\DRIVERS\VICHW00.SYS [?]
S3 wnizvqjsc;wnizvqjsc;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
.
Conteúdo da pasta 'Tarefas Agendadas'
.
.
------- Scan Suplementar -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com.br/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=%s
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/57.11/uploader2.cab
FF - ProfilePath - c:\documents and settings\PAULO\Dados de aplicativos\Mozilla\Firefox\Profiles\86hy46yx.defa ult\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.br/firefox?client=firefox-a&rls=org.mozillat-BRfficial
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=
FF - component: c:\documents and settings\PAULO\Dados de aplicativos\Mozilla\Firefox\Profiles\86hy46yx.defa ult\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - plugin: c:\arquivos de programas\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
---- FIREFOX POLICIES ----
pref(dom.disable_open_during_load, false);c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.
.
------- Associação de arquivos/ficheiros -------
.
txtfile=%SystemRoot%\System32\WScript.exe "c:\windows\{HCQ9D-TVCWX-X9QRG-J4B2Y-GR2TT-CM3HY-26VYW-6JRYC-X66GX-JVY2D}.vbs" %1 %*
.
- - - - ORFÃOS REMOVIDOS - - - -
WebBrowser-{A057A204-BACC-4D26-9F9D-3BEFCFBE6E86} - (no file)
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)
HKCU-Run-NitroPC - c:\arquivos de programas\NitroPC\NitroPC.exe
HKCU-Run-Avi Player - c:\arquivos de programas\Avi Player\AviPlayer.exe
HKCU-Run-AdobeBridge - (no file)
HKLM-Run-Adobe Photo Downloader - c:\arquivos de programas\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
HKLM-Run-QuickTime Task - c:\arquivos de programas\QuickTime\qttask.exe
HKLM-Run-RemoteControl8 - c:\arquivos de programas\CyberLink\PowerDVD8\PDVD8Serv.exe
HKLM-Run-PDVD8LanguageShortcut - c:\arquivos de programas\CyberLink\PowerDVD8\Language\Language.ex e
HKLM-Run-Cmaudio - cmicnfg.cpl
Notify- GbiehCef - (no file)
AddRemove-NVIDIA Drivers - c:\windows\system32\nvudisp.exe UninstallGUI
AddRemove-RealJukebox 1.0 - c:\arquivos de programas\Arquivos comuns\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - c:\arquivos de programas\Arquivos comuns\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0

************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-05 16:00
Windows 5.1.2600 Service Pack 3 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializáveis ocultas ...
Procurando ficheiros/arquivos ocultos ...

c:\windows\KB974112.log 3760 bytes
Varredura completada com sucesso
arquivos/ficheiros ocultos: 1
************************************************** ************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spbj.sys >>UNKNOWN [0x8A0ED938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9e67cb8
\Driver\atapi -> atapi.sys @ 0xb9dfcb40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: Realtek RTL8139 Family PCI Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xb9d05bd4
PacketIndicateHandler -> NDIS.sys @ 0xb9d11a21
SendHandler -> NDIS.sys @ 0xb9d05d44
user & kernel MBR OK
************************************************** ************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\E verestDriver]
"ImagePath"="\??\c:\arquivos de programas\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\s xgkexq]
"ImagePath"="\??\c:\windows\system32\02.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\w nizvqjsc]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------
[HKEY_USERS\S-1-5-21-448539723-1284227242-682003330-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2009 XE]
"GameDir"="c:\\Documents and Settings\\PAULO\\Meus documentos\\Sports Interactive\\Football Manager 2009\\games"
"ShortlistDir"="c:\\Documents and Settings\\PAULO\\Meus documentos\\Sports Interactive\\Football Manager 2009\\shortlists"
"ScreenshotsDir"="c:\\Documents and Settings\\PAULO\\Meus documentos\\Sports Interactive\\Football Manager 2009"
"SaveDir"="c:\\Documents and Settings\\PAULO\\Meus documentos\\Sports Interactive\\Football Manager 2009\\"
"HistoryDir"="c:\\Documents and Settings\\PAULO\\Meus documentos\\FM Genie Scout 2009 XE\\History Points"
"LangDB"="c:\\Arquivos de programas\\Sports Interactive\\Football Manager 2009\\data\\updates\\update-910\\db\\910\\lang_db.dat"
"LastSaveGame"="c:\\Documents and Settings\\PAULO\\Meus documentos\\Sports Interactive\\Football Manager 2009\\games\\Geral.fm"
"Language"="English"
"LoadLangDB"=dword:00000000
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000032
"SkinName"="Champions League"
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:00000067
"UniqueID"="84-0450-6BBF"
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
"Currency"=dword:00000056
"GraphStep"=dword:00000000
[HKEY_USERS\S-1-5-21-448539723-1284227242-682003330-1003\Software\Microsoft\SystemCertificates\Address Book*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------
- - - - - - - > 'explorer.exe'(2212)
c:\arquivos de programas\Windows Media Player\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\arquivos de programas\Arquivos comuns\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Outros Processos em Execução ------------------------
.
c:\arquivos de programas\Java\jre6\bin\jqs.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wscntfy.exe
c:\arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe
c:\arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe
c:\arquivos de programas\Windows Desktop Search\WindowsSearchIndexer.exe
.
************************************************** ************************
.
Tempo para conclusão: 2009-12-05 16:12 - Máquina reiniciou
ComboFix-quarantined-files.txt 2009-12-05 18:12
Pré-execução: 10 pasta(s) 15.410.446.336 bytes disponíveis
Pós execução: 14 pasta(s) 15.388.487.680 bytes disponíveis
WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 8BC0E0C7A700C2B0ECA6B4AA8FF1FF13

no aguardo...abraços e obrigado

Wings

Boa noite cotonete213


1.
*Execute o hijack, clique em [Do a system scan only], selecione as entradas abaixo e clique em [Fix checked]

*Feche o hijack

2.
*Abra o bloco de notas, selecione, copie e cole nele todo o conteúdo do código abaixo:

*Salve o arquivo no desktop como CFScript.txt
*Arraste o arquivo para o Combofix conforme ilustração abaixo:



*Importante: enquanto o combofix estiver em execução, não use o mouse nem o teclado!!..para interromper o processo tecle N ou 2.

*Cole o relatório criado em C:\combofix.txt e novo log do hijack

__________________