Logo Hardware.com.br
FelipeUra
FelipeUra Novo Membro Registrado
14 Mensagens 0 Curtidas

MBR Physicaldrive ?

#1 Por FelipeUra 11/08/2010 - 23:11
Bom, sou novo aqui, e preciso da ajuda de vocês, antes de postar, procurei em varios lugares sobre esse problema, até mesmo aqui, porem nao encontrei, então abri este topico, para tentar solucionar meu problema.. bem, vamos la


uso o NOD32 smart security, e tem 1 dia que venho tendo esse problema.. sempre quando ligo o computador, aparece um balãozinho do anti virus com a seguinte mensagem

Imagem

isso sem clicar em nada e tal. porem, já fiz um scan com anti spyware, antivirus, e nada detectado.., e formatar o computador, também nao resolvera o problema...

achei em 1 site Chileno, algo sobre o que é isso que diz ser como se estivesse clicando um banner de 10 em 10 min por ai... e que com antivirus é realmente dificil de detectar etc, mas que existe uma ferramenta Da EsageLab que o remove.

pois bem, baixei, e executei o mesmo..

Imagem

porem na hora de executar a " limpeza " eu nao consigo porque aparece esta mensagem quando vou executar os comandos: executar>cmd remover.exe fix \\.\PhysicalDrive0

Imagem


nao sei se precisa, mas aqui vai o log do hijackthis também:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:55:10, on 11/8/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Arquivos de programas\ESET\ESET Smart Security\egui.exe
C:\Arquivos de programas\ESET\ESET Smart Security\ekrn.exe
C:\Arquivos de programas\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe
C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\CTBC\NetSuper\app\TangoService.exe
C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\mspaint.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cmd.exe
C:\Windows\system32\notepad.exe
C:\Documents and Settings\Felipe\Meus documentos\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Arquivos de programas\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [egui] "C:\Arquivos de programas\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [RivaTuner] "C:\Arquivos de programas\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe" /T
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Arquivos de programas\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe" /S
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] D:\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Pando Media Booster] C:\Arquivos de programas\Pando Networks\Media Booster\PMB.exe
O4 - HKCU\..\Run: [MemStat] C:\Arquivos de programas\MemStat XP\MemStat.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Comrade.exe] C:\Arquivos de programas\GameSpy\Comrade\Comrade.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/pt/uno1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Arquivos de programas\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Arquivos de programas\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Arquivos de programas\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Arquivos de programas\CTBC\NetSuper\app\TangoService.exe

--
End of file - 7567 bytes


aguardo respostas, agradeço desde já hehe.

Felipe
Espírita
Espírita Cyber Highlander Registrado
9.6K Mensagens 2.1K Curtidas
#2 Por Espírita
11/08/2010 - 23:26
* faça o download do ComboFix., salve-o no desktop:
http://download.bleepingcomputer.com/protected/4538afb54478c6c8eaab60645075f1e1/4c45a198/ComboFix.exe
ou
http://rapidshare.com/files/407986559/ComboFix.exe

* Desative temporariamente o seu Antivirus.
* Execute-o - Aceite o contrato.

* Caso o console de recuperação já esteja instalado o ComboFix irá continuar o processo automaticamente.
* Caso não esteja, uma janela, será exibida solicitando a instalação. Clique em [SIM] para aceitá-la.

Importante: enquanto o ComboFix estiver em execução, não use o mouse nem o teclado!!.
– O programa será fechado automaticamente. --

* envie o relatório criado em C:\combofix.txt e um novo Log do hijackthis.
FelipeUra
FelipeUra Novo Membro Registrado
14 Mensagens 0 Curtidas
#3 Por FelipeUra
11/08/2010 - 23:54
Log do Combofix:

ComboFix 10-08-11.04 - Felipe 11/08/2010 23:45:49.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.3071.2705 [GMT -3:00]
Executando de: c:\documents and settings\Felipe\Meus documentos\Downloads\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Firewall pessoal do ESET *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* AV residente está ativo

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Thumbs.db
c:\windows\system32\vbzlib1.dll

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
(((((((((((((((( Arquivos/Ficheiros criados de 2010-07-12 to 2010-08-12 ))))))))))))))))))))))))))))
.

2010-08-12 00:30 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2010-08-07 20:18 . 2010-08-07 20:18 503808 ----a-w- c:\documents and settings\Felipe\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3e4657be-n\msvcp71.dll
2010-08-07 20:18 . 2010-08-07 20:18 499712 ----a-w- c:\documents and settings\Felipe\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3e4657be-n\jmc.dll
2010-08-07 20:18 . 2010-08-07 20:18 348160 ----a-w- c:\documents and settings\Felipe\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3e4657be-n\msvcr71.dll
2010-08-07 20:18 . 2010-08-07 20:18 61440 ----a-w- c:\documents and settings\Felipe\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4f46bb7a-n\decora-sse.dll
2010-08-07 20:18 . 2010-08-07 20:18 12800 ----a-w- c:\documents and settings\Felipe\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4f46bb7a-n\decora-d3d.dll
2010-08-07 04:27 . 2010-08-07 04:27 -------- d-----w- c:\arquivos de programas\Lavalys
2010-08-06 22:47 . 2010-08-06 22:47 -------- d-----w- c:\arquivos de programas\Cabal
2010-08-06 18:12 . 2010-08-06 18:12 -------- d-----w- c:\arquivos de programas\Arquivos comuns\BioWare
2010-07-27 14:43 . 2010-07-27 14:43 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-07-27 14:43 . 2010-07-27 14:43 -------- d-----r- c:\documents and settings\LocalService\Favoritos
2010-07-19 18:03 . 2010-07-28 19:05 -------- d-----w- c:\documents and settings\Felipe\Dados de aplicativos\uTorrent
2010-07-17 23:03 . 2010-02-04 13:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-07-17 23:03 . 2010-02-04 13:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-07-17 23:03 . 2010-02-04 13:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-07-17 23:03 . 2010-02-04 13:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-07-25 02:24 . 2010-03-15 02:15 -------- d---a-w- c:\arquivos de programas\Guru3D.com
2010-08-11 14:29 . 2001-10-28 20:07 80246 ----a-w- c:\windows\system32\perfc016.dat
2010-08-11 14:29 . 2001-10-28 20:07 473318 ----a-w- c:\windows\system32\perfh016.dat
2010-08-07 22:08 . 2010-03-10 00:39 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-08-07 22:08 . 2010-03-10 00:39 22328 ----a-w- c:\documents and settings\Felipe\Dados de aplicativos\PnkBstrK.sys
2010-08-07 22:08 . 2010-03-10 00:39 22328 ----a-w- c:\documents and settings\Felipe\Dados de aplicativos\PnkBstrK.sys
2010-08-07 22:08 . 2010-03-10 00:39 107832 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-08-07 22:08 . 2010-03-10 00:39 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-08-07 22:08 . 2010-03-10 00:39 2250024 ----a-w- c:\windows\system32\pbsvc.exe
2010-08-07 21:50 . 2010-03-08 18:30 -------- d-----w- c:\arquivos de programas\Ubisoft
2010-08-07 21:50 . 2010-03-08 00:44 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information
2010-07-15 19:38 . 2010-03-08 18:42 -------- d-----w- c:\documents and settings\Felipe\Dados de aplicativos\Ubisoft
2010-07-15 19:38 . 2010-03-08 18:39 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Ubisoft
2010-07-08 16:50 . 2010-03-08 00:44 -------- d-----w- c:\arquivos de programas\Arquivos comuns\InstallShield
2010-07-07 16:15 . 2010-07-07 16:15 -------- d-----w- c:\arquivos de programas\SumatraPDF
2010-07-06 20:15 . 2010-07-06 20:15 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Adobe
2010-06-30 12:32 . 2008-04-13 21:20 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-29 02:09 . 2010-03-23 00:58 -------- d-----w- c:\arquivos de programas\Messenger Plus! Live
2010-06-24 12:24 . 2008-04-13 21:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 09:02 . 2008-04-13 20:54 1852032 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-04-13 14:15 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-13 21:20 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-16 23:15 . 2010-06-16 23:13 -------- d-----w- c:\arquivos de programas\TeamSpeak 3 Client
2010-06-16 23:03 . 2010-06-16 22:46 -------- d-----w- c:\documents and settings\Felipe\Dados de aplicativos\TS3Client
2010-06-16 22:53 . 2010-06-16 22:53 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\boost_interprocess
2010-06-15 03:24 . 2010-04-10 00:44 -------- d-----w- c:\documents and settings\Felipe\Dados de aplicativos\FMZilla
2010-06-15 00:01 . 2010-06-15 00:01 -------- d-----w- c:\documents and settings\Felipe\Dados de aplicativos\WinAVI
2010-06-15 00:01 . 2010-06-15 00:01 -------- d-----w- c:\arquivos de programas\WinAVI Video Converter
2010-06-14 22:27 . 2010-06-14 22:27 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\TEMP
2010-06-14 14:31 . 2010-03-08 00:24 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:42 . 2008-04-13 21:20 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-06 03:19 . 2010-06-06 03:19 503808 ----a-w- c:\documents and settings\Felipe\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-36960f99-n\msvcp71.dll
2010-06-06 03:19 . 2010-06-06 03:19 499712 ----a-w- c:\documents and settings\Felipe\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-36960f99-n\jmc.dll
2010-06-06 03:19 . 2010-06-06 03:19 348160 ----a-w- c:\documents and settings\Felipe\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-36960f99-n\msvcr71.dll
2010-06-06 03:18 . 2010-06-06 03:18 61440 ----a-w- c:\documents and settings\Felipe\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-413fe5e0-n\decora-sse.dll
2010-06-06 03:18 . 2010-06-06 03:18 12800 ----a-w- c:\documents and settings\Felipe\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-413fe5e0-n\decora-d3d.dll
2010-06-04 05:33 . 2010-06-04 05:33 268435456 --sha-w- C:\WinPEpge.sys
2010-06-03 02:41 . 2010-06-03 02:41 3600384 ----a-w- c:\windows\system32\GPhotos.scr
.

------- Sigcheck -------

[-] 2008-06-04 . F482D6E6C375CFA35BF935B2F240F96E . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll


c:\windows\System32\ctfmon.exe ... está faltando !!
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883840]
"Pando Media Booster"="c:\arquivos de programas\Pando Networks\Media Booster\PMB.exe" [2010-04-05 2938552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-12-25 18789408]
"egui"="c:\arquivos de programas\ESET\ESET Smart Security\egui.exe" [2009-11-16 2054360]
"RivaTuner"="c:\arquivos de programas\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe" [2009-08-22 2781184]
"RivaTunerStartupDaemon"="c:\arquivos de programas\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe" [2009-08-22 2781184]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-03-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-03-16 13670504]
"SunJavaUpdateSched"="c:\arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2009-03-08 128512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\arquivos de programas\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 17:21 548352 ----a-w- c:\arquivos de programas\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win7_Upgrade]
2009-08-26 19:12 475136 ----a-r- c:\documents and settings\Felipe\Configurações locais\Dados de aplicativos\DellWin7Upgrade\Win7_Upgrade_Start.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"c:\\Arquivos de programas\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"c:\\Arquivos de programas\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=
"c:\\Arquivos de programas\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Arquivos de programas\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Arquivos de programas\\Ubisoft\\Tom Clancy's H.A.W.X\\HAWX.exe"=
"c:\\Arquivos de programas\\Ubisoft\\Assassin's Creed II\\AssassinsCreedIIGame.exe"=
"c:\\Arquivos de programas\\Ubisoft\\Assassin's Creed II\\AssassinsCreedII.exe"=
"c:\\Arquivos de programas\\Ubisoft\\Assassin's Creed II\\UPlayBrowser.exe"=
"c:\\Arquivos de programas\\Ubisoft\\DRM-AC2-OFFLINE.Server-v0.3.2\\server.exe"=
"c:\\Arquivos de programas\\Ubisoft\\Prince of Persia The Forgotten Sands\\Prince of Persia.exe"=
"c:\\Arquivos de programas\\Ubisoft\\Prince of Persia The Forgotten Sands\\GameSettings.exe"=
"c:\\Arquivos de programas\\Ubisoft\\Prince of Persia The Forgotten Sands\\gu.exe"=
"c:\\Arquivos de programas\\Ubisoft\\Prince of Persia The Forgotten Sands\\UPlayBrowser.exe"=
"c:\\Arquivos de programas\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"d:\\uTorrent.exe"=
"d:\\Cabal Online\\launcher\\update\\ESTdnheadless.exe"=
"c:\\Windows\\system32\\dpvsetup.exe"=
"c:\\Arquivos de programas\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Arquivos de programas\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Arquivos de programas\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57821:TCP"= 57821:TCP:Pando Media Booster
"57821:UDP"= 57821:UDP:Pando Media Booster

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [16/11/2009 09:03 108792]
R1 SASDIFSV;SASDIFSV;c:\arquivos de programas\SUPERAntiSpyware\sasdifsv.sys [17/2/2010 10:25 12872]
R1 SASKUTIL;SASKUTIL;c:\arquivos de programas\SUPERAntiSpyware\SASKUTIL.SYS [17/2/2010 10:15 66632]
R2 ekrn;ESET Service;c:\arquivos de programas\ESET\ESET Smart Security\ekrn.exe [16/11/2009 09:04 735960]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [7/3/2010 21:55 1691480]
S3 L2XPSR;L2XPSR;c:\arquiv~1\CTBC\NetSuper\app\L2XPSR.SYS [8/7/2010 13:50 18450]
S3 NTSTPL2;NTSTPL2;c:\arquiv~1\CTBC\NetSuper\app\NTSTPL2.SYS [8/7/2010 13:53 18528]
S3 PciCon;PciCon;\??\i:\pcicon.sys --> i:\PciCon.sys [?]
S3 PhSerUsb;PHILOG USB Serial Driver;c:\windows\system32\drivers\PhSerUsb.sys [10/3/2010 14:41 48896]
S3 SASENUM;SASENUM;c:\arquivos de programas\SUPERAntiSpyware\SASENUM.SYS [17/2/2010 10:15 12872]
S3 TAPBIND;TAPBIND;c:\arquiv~1\CTBC\NetSuper\app\TAPBIND1.SYS [8/7/2010 13:50 51008]
S3 XDva332;XDva332;\??\c:\windows\system32\XDva332.sys --> c:\windows\system32\XDva332.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [31/3/2010 18:49 691696]
.
Conteúdo da pasta 'Tarefas Agendadas'

2010-08-12 c:\windows\Tasks\User_Feed_Synchronization-{1CD1D5A5-2252-4D2E-8642-0DBF01BCF32A}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 07:31]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.google.com.br/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Felipe\Dados de aplicativos\Mozilla\Firefox\Profiles\s29tetgm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\arquivos de programas\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\arquivos de programas\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.blink_allowed - true
FF - user.js: network.prefetch-next - true
FF - user.js: nglayout.initialpaint.delay - 50
FF - user.js: layout.spellcheckDefault - 1
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORFÃOS REMOVIDOS - - - -

HKCU-Run-MemStat - c:\arquivos de programas\MemStat XP\MemStat.exe
HKCU-Run-Comrade.exe - c:\arquivos de programas\GameSpy\Comrade\Comrade.exe
HKLM-Run-nwiz - nwiz.exe
HKLM-Run-HP Software Update - d:\hp software update\HPWuSchd2.exe
AddRemove-HP Imaging Device Functions - d:\digital imaging\DigitalImagingMonitor\hpzscr01.exe
AddRemove-HP Solution Center & Imaging Support Tools - d:\digital imaging\eSupport\hpzscr01.exe
AddRemove-Xfire - c:\documents and settings\Felipe\Meus documentos\Xfire\uninst.exe
AddRemove-{5B79CFD1-6845-4158-9D7D-6BE89DF2C135} - d:\digital imaging\{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}\setup\hpzscr01.exe
AddRemove-Tex - c:\documents and settings\Felipe\Desktop\Nova pasta (2)\Uninstal.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-11 23:48
Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,44,f9,be,8a,19,77,de,47,82,a2,9a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,44,f9,be,8a,19,77,de,47,82,a2,9a,\
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(956)
c:\arquivos de programas\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Tempo para conclusão: 2010-08-11 23:49:15
ComboFix-quarantined-files.txt 2010-08-12 02:49

Pré-execução: 9 pasta(s) 80.203.374.592 bytes disponíveis
Pós execução: 11 pasta(s) 81.071.955.968 bytes disponíveis

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 2C38560F0EE6279F259EB84D20738284



Log do hijackthis:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:51:15, on 11/8/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\ESET\ESET Smart Security\ekrn.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Felipe\Meus documentos\Downloads\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Arquivos de programas\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [egui] "C:\Arquivos de programas\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [RivaTuner] "C:\Arquivos de programas\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe" /T
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Arquivos de programas\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe" /S
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Pando Media Booster] C:\Arquivos de programas\Pando Networks\Media Booster\PMB.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/pt/uno1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Arquivos de programas\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Arquivos de programas\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Arquivos de programas\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Arquivos de programas\CTBC\NetSuper\app\TangoService.exe

--
End of file - 5891 bytes
Espírita
Espírita Cyber Highlander Registrado
9.6K Mensagens 2.1K Curtidas
#4 Por Espírita
12/08/2010 - 00:06
hijackthis-> do a system scan only. selecione o item:

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

clique em fix checked.

Por Garantia!!

Faça o download do Malwarebytes:
http://www.superdownloads.com.br/download/119/malwarebytes-anti-malware/

Instale o aplicativo, atualiza-o e efetue uma verificação completa.
Quando terminar o scan., se algum "malware" foi detectado., clique em (Exibir resultado), e depois clique em (remover selecionados).
Abrirá um Relatório automatico, Copia e cole aqui.
As infecções serão enviadas para quarentena., e alguns tipos poderão exigir a reinicialização do sistema.
FelipeUra
FelipeUra Novo Membro Registrado
14 Mensagens 0 Curtidas
#5 Por FelipeUra
12/08/2010 - 00:43
aqui esta:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Versão da Base de Dados: 4420

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/8/2010 00:42:19
mbam-log-2010-08-12 (00-42-19).txt

Tipo de Verificação: Verificação Completa (C:\|D:\|)
Objetos escaneados: 213680
Tempo decorrido: 18 minuto(s), 56 segundo(s)

Processos de Memória Infectados: 0
Módulos de Memória Infectados: 0
Chaves de Registro Infectadas: 0
Valores de Registro Infectados: 0
Itens de Dados no Registro Infectados: 0
Pastas Infectadas: 0
Arquivos Infectados: 14

Processos de Memória Infectados:
(Não foram detectados ítens maliciosos)

Módulos de Memória Infectados:
(Não foram detectados ítens maliciosos)

Chaves de Registro Infectadas:
(Não foram detectados ítens maliciosos)

Valores de Registro Infectados:
(Não foram detectados ítens maliciosos)

Itens de Dados no Registro Infectados:
(Não foram detectados ítens maliciosos)

Pastas Infectadas:
(Não foram detectados ítens maliciosos)

Arquivos Infectados:
C:\Arquivos de programas\Activision\Call of Duty 4 - Modern Warfare\rzr-cod4.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
C:\Arquivos de programas\Ubisoft\Ubisoft Game Launcher\UBIORBITAPI_R2.DLL (Trojan.Agent.CK) -> Quarantined and deleted successfully.
C:\Documents and Settings\Felipe\Dados de aplicativos\Sun\Java\Deployment\cache\6.0\44\1cdb592c-79905210 (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1A8291C8-26C8-44D8-8328-FAA63B28C0A4}\RP100\A0031021.dll (Trojan.Agent.CK) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1A8291C8-26C8-44D8-8328-FAA63B28C0A4}\RP100\A0031220.dll (Trojan.Agent.CK) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1A8291C8-26C8-44D8-8328-FAA63B28C0A4}\RP100\A0031240.dll (Trojan.Agent.CK) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1A8291C8-26C8-44D8-8328-FAA63B28C0A4}\RP108\A0038523.DLL (Trojan.Agent.CK) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1A8291C8-26C8-44D8-8328-FAA63B28C0A4}\RP84\A0027399.dll (Malware.Packer.T) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1A8291C8-26C8-44D8-8328-FAA63B28C0A4}\RP84\A0027622.dll (Malware.Packer.T) -> Quarantined and deleted successfully.
D:\Lineage II\system\fire.dll2 (Malware.Packer.T) -> Quarantined and deleted successfully.
D:\Lineage II\system l2 vitality\Fire.dll (Malware.Packer.T) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{1A8291C8-26C8-44D8-8328-FAA63B28C0A4}\RP80\A0023129.dll (Malware.Packer.T) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{1A8291C8-26C8-44D8-8328-FAA63B28C0A4}\RP84\A0028341.dll (Malware.Packer.T) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{1A8291C8-26C8-44D8-8328-FAA63B28C0A4}\RP84\A0028475.dll (Malware.Packer.T) -> Quarantined and deleted successfully.
Espírita
Espírita Cyber Highlander Registrado
9.6K Mensagens 2.1K Curtidas
#6 Por Espírita
12/08/2010 - 10:49
Execute o Malwarebytes->Aba quarentena....clique em apagar tudo.

** Botão direito em Meu computador->Propriedades->Restauração de sistemas....marque a opção desativar a restauração de sistemas.... e clique em aplicar **

faça o download do wise registry cleaner:
http://www.baixaki.com.br/download/wise-registry-cleaner.htm

Instale o aplicativo(OBS-> Não instale a Ask Toolbar)., ao executá-lo selecione todas as opções a esquerda e clique em verificar. Encontrando erros selecione todos(sem excessão) e clique em corrigir.

faça o download do advanced system care:
http://www.baixaki.com.br/download/advanced-systemcare.htm

Instale o aplicativo e efetue uma limpeza e otimização no sistema.

-- após os procedimentos., envie um novo log do hijackthis.
igoreso
igoreso Super Participante Registrado
704 Mensagens 22 Curtidas
#7 Por igoreso
12/08/2010 - 13:51

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-11 23:48
Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.

Me parece que o combofix desinfectou isso o MBR.exe nada diz, depois peço uma verificação do dump do MRB no virustotal. Sobre o bootkitremover parabéns pelo tiro na mosca vejo que pesquisou sobre assuntou!
observe.pngNão respondo duvidas por MP, e-mail e msn! Use o fórum!

FelipeUra
FelipeUra Novo Membro Registrado
14 Mensagens 0 Curtidas
#8 Por FelipeUra
12/08/2010 - 14:29
Aqui esta o log do hijackthis:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:25:16, on 12/8/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Arquivos de programas\ESET\ESET Smart Security\egui.exe
C:\Arquivos de programas\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe
C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe
C:\Arquivos de programas\ESET\ESET Smart Security\ekrn.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\CTBC\NetSuper\app\TangoService.exe
C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe
D:\Malwarebytes' Anti-Malware\mbam.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
D:\Advanced SystemCare 3\Awc.exe
C:\Documents and Settings\Felipe\Meus documentos\Downloads\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Arquivos de programas\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [egui] "C:\Arquivos de programas\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [RivaTuner] "C:\Arquivos de programas\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe" /T
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Arquivos de programas\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe" /S
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Pando Media Booster] C:\Arquivos de programas\Pando Networks\Media Booster\PMB.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "D:\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/pt/uno1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Arquivos de programas\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Arquivos de programas\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Arquivos de programas\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Arquivos de programas\CTBC\NetSuper\app\TangoService.exe

--
End of file - 6504 bytes


Me parece que o combofix desinfectou isso o MBR.exe nada diz, depois peço uma verificação do dump do MRB no virustotal. Sobre o bootkitremover parabéns pelo tiro na mosca vejo que pesquisou sobre assuntou!
hehe procurei bastante, até porque nao lembro de ter baixado, ou entrado em algum site duvidoso
brando lee
brando lee Zerinho Registrado
2.4K Mensagens 97 Curtidas
#11 Por brando lee
12/08/2010 - 15:29
Wolf09, esta faltando um arquivo do Sistema do Windows, ele não existe, foi apagado, veja um pedaço do relatório do combofix
------- Sigcheck -------

[-] 2008-06-04 . F482D6E6C375CFA35BF935B2F240F96E . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll


c:\windows\System32\ctfmon.exe ... está faltando !!
.
A atualização do Windows restaura o arquivo.

Ou se o rapaz tivesse feito um ponto de restauração quando o PC estava limpo, resolveria tambem.
Ficarei um tempo ausente no Fórum, muito Ocupado, coisas mais importante pra fazer "Trabalho".


Removendo vírus pelo bloco de notas!


igoreso
igoreso Super Participante Registrado
704 Mensagens 22 Curtidas
#12 Por igoreso
12/08/2010 - 15:42
brando lee disse:


Resolvo o problema agora:
Faça o download SystemLook de um dos links abaixo e salve-o em seu Desktop.
Lembre-se que estiver executando Windows Vista ou 7 é necessário dar privilégio de administrador a ferramenta para isso:
Clique com o direito do mouse sobre o arquivo e depois clique em
17c004ff757474cda22635c154079dfa
SystemLook.exe duplo clique para executá-lo.
Copiar o conteúdo do codebox a seguir para o campo de texto principal:
:filefind 
ctfmon.exe

Clique no botão Procurar para iniciar a análise.
Quando terminar, uma janela abrirá o Bloco de notas com os resultados da verificação. Por favor, post esse log na sua próxima resposta.
Nota: O registro também pode ser encontrado em seu desktop intitulado SystemLook.txt.
observe.pngNão respondo duvidas por MP, e-mail e msn! Use o fórum!

igoreso
igoreso Super Participante Registrado
704 Mensagens 22 Curtidas
#14 Por igoreso
12/08/2010 - 15:53
[QUOTE][quote="FelipeUra, post: 5066571"]pronto:


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 15:48 on 12/08/2010 by Felipe (Administrator - Elevation successful)

========== filefind ==========

Searching for "ctfmon.exe"
No files found.

-=End Of File=-
[/QUOTE]
*Clique em [Iniciar] > [Executar] > digite: Combofix /uninstall
*Clique [OK]

92674490.jpg

*Clique em [Executar]
*Aguarde surgir a mensagem: "ComboFix está desinstalado"
*Clique [OK]

2.
*Delete o SystemLook e seu relatório

3.
*Clique em [Iniciar] > [Executar] > digite: sfc /scannow

sfc.jpg
*Clique OK
*Será solicitado o cd do Windows
*Coloque-o no CD-Rom e aguarde o término....
*Retire o CD e reinicie o PC

Um abraço.
observe.pngNão respondo duvidas por MP, e-mail e msn! Use o fórum!

© 1999-2025 Hardware.com.br. Todos os direitos reservados.
Imagem do Modal