[teddynicholas]

Olá todos,

Eu sou muito novo para o seu site, mas incrivelmente agradecida que você está aqui. Eu tropeçou lhe é devido a uma infecção recente sobre a minha mãe do laptop (que partes dele) e estou incerta como resolvê-lo.

Cerca de quatro dias atrás, janelas do IE com anúncios pop-up ia acontecer de repente com um balão na minha deskbar que lê, "spyware detectado! Clique aqui para baixar anti-spyware"

Corri Symantec e Spybot S & D Full Scans (não sei como é que este vírus escorregou por esses dois) e eles não encontraram nada! Então eu comecei googling e descarregado Malwarebyte's Anti-Malware e que corria. Constatou-se algumas coisas, mas ele não resolver o problema.

Eu downloaded PrevxCSI mas não tenho $ $ $ ainda suficiente para comprar a licença (mas eu vou, se necessário) e que enumera as seguintes:

C: \ WINDOWS \ system32 \ ds fmon.dll - Software Malicioso
C: \ WINDOWS \ system32 \ CSRLT.exe - Malware Dropper
C: \ WINDOWS \ MSBLT.exe - Malware Dropper
C: \ WINDOWS \ system32 \ LSASSMGR.exe - camuflada Malware
C: \ Program Files \ Mozilla Firefox \ firefoxe.exe - camuflada Malware
C: \ Arquivos de Programas \ Internet Explorer \ iexplor.exe - camuflada Malware
C: \ WINDOWS \ system32 \ spool.exe - camuflada Malware
C: \ WINDOWS \ system32 \ srtsrv32.exe - camuflada Malware
C: \ WINDOWS \ system32 \ LSSMON.exe - Malware Dropper
C: \ WINDOWS \ divx32.dll - Malware Dropper
C: \ WINDOWS \ system32 \ msupd32.exe - Malware Dropper
C: \ WINDOWS \ system32 \ upd01.exe - Malware Dropper

Isso parece e soa como um lote para mim e estou muito preocupado. Alguem tem sugestões para mim? Sou eu que vou ter que gastar um monte de dinheiro para corrigir isso?

Thank you so much!

[evilfantasy]

Olá teddynicholas. Bem-vindo ao CJ.

Download ComboFix por subcategorias de um dos links abaixo. Certifique-se de guardá-lo para o topo Desktop.

Link # 1
Link # 2

** Nota: É importante que ele é guardado directamente para o seu desktop

Feche todos os browsers abertos. (Firefox, Internet Explorer, etc) antes de iniciar ComboFix.

Temporariamente desabilitar seu antivírus, E qualquer antispyware proteção em tempo real antes realizar uma varredura. Clique este link para ver uma lista de programas de segurança que devem ser desativados e como desativá-los.

Dê um clique duplo combofix.exe e siga as instruções.
Quando terminar ComboFix irá produzir um log para você.
Publicar a Log ComboFix na sua próxima resposta.

Importante: Não mouseclick ComboFix da janela enquanto ele está sendo executado. Isso pode fazer com que a barraca.

Lembre-se de reativar a sua protecção antivírus e antispyware ComboFix quando estiver completa.

[teddynicholas]

ComboFix 08-09-15.02 - Teddy 2008-09-16 16:34:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.550 [GMT -4:00]
Executando de: C: \ Documents and Settings \ Teddy \ Desktop \ ComboFix.exe
* Criado um novo ponto restaurar

ATENÇÃO-ESTE NÃO TEM MÁQUINA DE RECUPERAÇÃO CONSOLE INSTALLED!
.

((((((((((((((((((((((((((((((((((((((( Outros Supressões ))))))))) ))))))))))))))))))))))))))))))))))))))))
.

C: \ Documents and Settings \ LocalService \ Cookies \ system@ad.yieldmanag er [1]. Txt
C: \ Documents and Settings \ Teddy \ Cookies \ teddy@ad.yieldmanager [1]. Txt
C: \ WINDOWS \ Downloaded Program Files \ Setup.inf
C: \ WINDOWS \ system32 \ spool.exe

.
((((((((((((((((((((((((( Arquivos criados a partir de 2008/08/16 a 2008/09/16 ))))))))))) ))))))))))))))))))))
.

2008/09/16 16:21. 2008/09/16 16:50 <dir> d -------- C: \ WINDOWS \ system32 \ CatRoot_bak
2008/09/16 13:23. 2008/09/16 13:23 <dir> d -------- C: \ WINDOWS \ LastGood
2008/09/13 13:19. 2008/09/13 13:19 <dir> d -------- C: \ Program Files \ iTunes
2008/09/13 13:19. 2008/09/13 13:19 <dir> d -------- C: \ Program Files \ iPod
2008/09/13 13:19. 2008/09/13 13:19 <dir> d -------- C: \ Documents and Settings \ All Users \ Application Data \ (3276BE95_AF08_429F_A64F_CA64CB79BCF6)
2008/09/13 13:12. 2008/09/13 13:16 <dir> d -------- C: \ Program Files \ Common Files \ Apple
2008/09/08 16:10. 2008/09/08 16:10 <dir> d -------- C: \ Program Files \ Easy SpyRemover
2008/09/08 15:45. 2008/09/06 00:59 741,376 - a ------ C: \ WINDOWS \ system32 \ LSSMON.EXE
2008/09/08 15:45. 2008/09/04 21:59 17,920 - a ------ C: \ WINDOWS \ system32 \ LSASSMGR.EXE
2008/09/07 22:34. 2008/09/02 00:16 38,528 - a ------ C: \ WINDOWS \ system32 \ drivers \ mbamswissarmy.sys
2008/09/07 22:33. 2008/09/07 22:34 <dir> d -------- C: \ Program Files \ Malwarebytes' Anti-Malware
2008/09/07 22:33. 2008/09/07 22:33 <dir> d -------- C: \ Documents and Settings \ Teddy \ Application Data \ Malwarebytes
2008/09/07 22:33. 2008/09/07 22:33 <dir> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Malwarebytes
2008/09/07 22:33. 2008/09/02 00:16 17,200 - a ------ C: \ WINDOWS \ system32 \ drivers \ mbam.sys
2008/09/06 15:09. 2008/09/06 15:09 90,112 - a ------ C: \ WINDOWS \ system32 \ QuickTimeVR.qtx
2008/09/06 15:09. 2008/09/06 15:09 57,344 - a ------ C: \ WINDOWS \ system32 \ QuickTime.qts
2008/09/05 10:44. 2008/09/06 00:59 741,376 - a ------ C: \ WINDOWS \ system32 \ msupd32.exe
2008/09/04 21:59. 2008/09/07 12:59 741,376 - a ------ C: \ WINDOWS \ system32 \ upd01.exe
2008/09/04 21:59. 2008/09/06 00:59 741,376 - a ------ C: \ WINDOWS \ divx32.dll
2008/09/04 21:59. 2008/09/04 21:59 17,920 - a ------ C: \ WINDOWS \ system32 \ srtsrv32.exe
2008/09/04 21:59. 2008/09/16 16:24 5903 - a ------ C: \ WINDOWS \ system32 \ mssc32.dll
2008/09/04 21:59. 2008/09/16 16:24 5903 - a ------ C: \ WINDOWS \ system32 \ bsc32.dll
2008/09/02 13:23. 2008/09/02 13:23 <dir> d -------- C: \ Program Files \ PrevxCSI
2008/09/02 13:23. 2008/09/16 13:32 <dir> d -------- C: \ Documents and Settings \ All Users \ Application Data \ PrevxCSI
2008/09/02 13:23. 2008/09/02 13:23 17,408 - a ------ C: \ WINDOWS \ system32 \ drivers \ pxark.sys
2008/09/01 01:30. 2008/09/02 13:10 <dir> da ------ C: \ Documents and Settings \ All Users \ Application Data \ TEMP
2008/09/01 01:20. 2008-09-07 22:19 0 - a ------ C: \ WINDOWS \ system32 \ sc02.sc
2008/08/31 01:46. 2007/02/20 16:04 2463976 - a ------ C: \ WINDOWS \ system32 \ NPSWF32.dll
2008/08/31 01:46. 2007/02/20 16:04 190,696 - a ------ C: \ WINDOWS \ system32 \ NPSWF32_FlashUtil.exe
2008/08/30 09:59. 2008/08/30 21:34 <dir> d -------- C: \ Program Files \ Macromedia
2008/08/30 09:59. 2008/08/30 21:27 <dir> d -------- C: \ Program Files \ Common Files \ Macromedia
2008/08/30 01:25. 2008/09/13 13:18 <dir> d -------- C: \ Program Files \ Bonjour
2008/08/29 14:33. 2006/09/18 17:55 109,744 - a ------ C: \ WINDOWS \ system32 \ drivers \ Symevent.sys
2008/08/29 14:33. 2006/09/18 17:55 48,816 - a ------ C: \ WINDOWS \ system32 \ S32EVNT1.DLL
2008/08/29 10:18. 2008/08/29 10:18 87,336 - a ------ C: \ WINDOWS \ system32 \ dns-sd.exe
2008/08/29 09:53. 2008/08/29 09:53 61,440 - a ------ C: \ WINDOWS \ system32 \ dnssd.dll
2008/08/27 04:05. 2008/04/07 05:38 45,392-ra ------ C: \ WINDOWS \ system32 \ AdobePDF.dll
2008/08/27 04:05. 2008/04/07 05:38 22,872-ra ------ C: \ WINDOWS \ system32 \ AdobePDFUI.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))) ))))))))))))))))))))))))))))))))))))))))))))
.
2008/09/16 20:53 --------- d ----- w C: \ Program Files \ Symantec AntiVirus
2008/09/13 17:17 --------- d ----- w C: \ Program Files \ QuickTime
2008/09/13 17:13 --------- d ----- w C: \ Program Files \ Apple Software Update
2008/09/08 18:53 249,956 ---- aw C: \ WINDOWS \ system32 \ dsfMon.dll
2008/09/01 07:50 --------- d ----- w C: \ Documents and Settings \ All Users \ Application Data \ Spybot - Search & Destroy
2008/09/01 05:56 --------- d ----- w C: \ Arquivos de Programas \ Spybot - Search & Destroy
2008/08/30 05:24 --------- d ----- w C: \ Program Files \ Common Files \ Adobe
2008/08/29 18:34 --------- d ----- w C: \ Program Files \ Common Files \ Symantec Shared
2008/08/29 18:33 --------- d ----- w C: \ Program Files \ Symantec
2008/08/29 18:32 --------- d ----- w C: \ Documents and Settings \ All Users \ Application Data \ Symantec
2008/08/27 08:22 --------- d ----- w C: \ Documents and Settings \ All Users \ Application Data \ FLEXnet
2008/08/26 00:52 --------- d ----- w C: \ Documents and Settings \ Teddy \ Application Data \ OpenOffice.org2
2008/08/13 21:33 --------- d ----- w C: \ Program Files \ Microsoft Silverlight
2008/08/12 02:46 --------- d ----- w C: \ Program Files \ PHM
2008/07/26 08:55 --------- d ----- w C: \ Program Files \ OpenOffice.org 2/4
2008/07/26 08:54 --------- d ----- w C: \ Program Files \ Java
2008/07/19 02:10 94,920 ---- aw C: \ WINDOWS \ system32 \ cdm.dll
2008/07/19 02:10 53,448 ---- aw C: \ WINDOWS \ system32 \ wuauclt.exe
2008/07/19 02:09 563,912 ---- aw C: \ WINDOWS \ system32 \ wuapi.dll
2008/07/19 02:09 325,832 ---- aw C: \ WINDOWS \ system32 \ wucltui.dll
2008/07/19 02:09 205,000 ---- aw C: \ WINDOWS \ system32 \ wuweb.dll
2008/07/19 02:09 1.811.656 ---- aw C: \ WINDOWS \ system32 \ Wuaueng.dll
2008/07/07 20:32 253,952 ---- aw C: \ WINDOWS \ system32 \ Es.dll
2008/06/24 22:12 295,936 ------ w C: \ WINDOWS \ system32 \ wmpeffects.dll
2008/06/24 16:23 74,240 ---- aw C: \ WINDOWS \ system32 \ mscms.dll
2008/06/23 16:57 826,368 ---- aw C: \ WINDOWS \ system32 \ wininet.dll
2008/06/20 17:41 245,248 ---- aw C: \ WINDOWS \ system32 \ mswsock.dll
2008-04-19 16:57 32 ---- aw C: \ Documents and Settings \ All Users \ Application Data \ ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))) ))))))))))))))))))))))))))))))))))))))))
.
.
* Nota * entradas vazias & legit entradas padrão não são mostrados
REGEDIT4

[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ actuais ntVersion \ Run]
"swg" = "C: \ Program Files \ Google \ GoogleToolbarNotifier \ GoogleToolbarNo tifier.exe" [2007-04-02 68856]
"QuickTime Task" = "C: \ Program Files \ QuickTime \ qttask.exe" [2008-09-06 413696]
"H / PC Connection Agent" = "C: \ Program Files \ Microsoft ActiveSync \ wcescomm.exe" [2006-11-13 1289000]
"ctfmon.exe" = "C: \ WINDOWS \ system32 \ ctfmon.exe" [2004-08-04 15360]
"IndxStoreSvr_ (79662E04-7C6C-4d9f-84C7-88D8A56B10AA)" = "C: \ Program Files \ Common Files \ Nero \ Lib \ NMIndexStoreSvr.exe" [2008-02-28 1828136]
"SpybotSD TeaTimer" = "C: \ Arquivos de Programas \ Spybot - Search & Destroy \ TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Run]
"RemoteControl" = "C: \ Program Files \ CyberLink \ PowerDVD \ PDVDServ.exe" [2004-05-14 32768]
"RoxioEngineUtility" = "C: \ Program Files \ Common Files \ Roxio Shared \ System \ EngUtil.exe" [2003-05-01 65536]
"RoxioAudioCentral" = "C: \ Program Files \ Roxio \ Easy CD Creator 6 \ AudioCentral \ RxMon.exe" [2003-07-15 319488]
"SiS Windows KeyHook" = "C: \ WINDOWS \ system32 \ keyhook.exe" [2004-09-02 249856]
"SiSUSBRG" = "C: \ WINDOWS \ SiSUSBrg.exe" [2004-09-22 106496]
"Apoint" = "C: \ Program Files \ Apoint2K \ Apoint.exe" [2003-12-05 159744]
"SunJavaUpdateSched" = "C: \ Program Files \ Java \ jre1.6.0_07 \ bin \ jusched.exe" [2008-06-10 144784]
"DSFHost" = "C: \ Program Files \ Staples \ easyprint \ dsfhost.exe" [2006-01-05 2142301]
"Synchronization Manager" = "C: \ WINDOWS \ system32 \ mobsync.exe" [2004-08-04 143360]
"Zune Launcher" = "C: \ Program Files \ Zune \ ZuneLauncher.exe" [2007-03-14 24104]
"GrooveMonitor" = "C: \ Program Files \ Microsoft Office \ Office12 \ GrooveMonitor.exe" [2006-10-27 31016]
"Adobe Reader Speed Launcher" = "C: \ Arquivos de Programas \ Adobe \ Reader 8.0 \ Reader \ Reader_sl.exe" [2008-01-11 39792]
"NeroFilterCheck" = "C: \ Program Files \ Common Files \ Nero \ Lib \ NeroCheck.exe" [2008-02-28 570664]
"NBKeyScan" = "C: \ Arquivos de Programas \ Nero \ Nero8 \ Nero BackItUp \ NBKeyScan.exe" [2008-02-18 2221352]
"Adobe Acrobat Speed Launcher" = "C: \ Arquivos de Programas \ Adobe \ Acrobat 9.0 \ Acrobat \ Acrobat_sl.exe" [2008-06-12 37232]
"ccApp" = "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe" [2006-07-19 52896]
"vptray" = "C: \ PROGRA ~ 1 \ SYMANT ~ 1 \ VPTray.exe" [2006-09-27 125168]
"Layersecurity Servicemonitor" = "C: \ WINDOWS \ system32 \ LSSMON.EXE" [2008-09-06 741376]
"iTunesHelper" = "C: \ Program Files \ iTunes \ iTunesHelper.exe" [2008-09-10 289576]
"Engenheiro de gravação de som" = "SOUNDMAN.EXE" [2004/09/22 C: \ WINDOWS \ SOUNDMAN.EXE]
"AGRSMMSG" = "AGRSMMSG.exe" [2004/09/22 C: \ WINDOWS \ AGRSMMSG.exe]
"SiSPower" = "SiSPower.dll" [2004/09/22 C: \ WINDOWS \ system32 \ SiSPower.dll]

C: \ Documents and Settings \ Teddy \ Menu Iniciar \ Programas \ Startup \
Adobe Gamma.lnk - C: \ Program Files \ Common Files \ Adobe \ Calibration \ Adobe Gamma Loader.exe [2005-03-16 113664]
OneNote 2007 Screen Clipper e Launcher.lnk - C: \ Arquivos de Programas \ Microsoft Office \ Office12 \ ONENOTEM.EXE [2006-10-26 98632]

C: \ Documents and Settings \ All Users \ Menu Iniciar \ Programas \ Startup \
Windows Desktop Search - C: \ Program Files \ Windows Desktop Search \ WindowsSearch.exe [2007/02/05 118784]

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entversion \ explorer \ ShellExecuteHooks]
"(56F9679E-7826-4C84-81F3-532071A8BCC5)" = "C: \ Program Files \ Windows Desktop Search \ MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Windows]
"AppInit_DLLs" = acaptuser32.dll

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ imagem execução opções \ firefox.exe]
"Debugger" = C: \ Program Files \ Mozilla Firefox \ firefoxe.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ imagem execução opções \ iexplore.exe]
"Debugger" = C: \ Arquivos de Programas \ Internet Explorer \ iexplor.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ imagem execução opções \ spoolsv.exe]
"Debugger" = C: \ WINDOWS \ system32 \ spool.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Security Center \ Monitoring \ SymantecAntiVirus]
"DisableMonitoring" = dword: 00000001

[HKLM \ ~ \ Services \ SharedAccess \ Parameters \ firewallpo licy \ standardprofile \ AuthorizedApplications \ List]
"% windir% \ \ system32 \ \ Sessmgr.exe" =
"C: \ \ Program Files \ \ Common Files \ AOL \ \ Loader \ \ aolload.exe" =
"C: \ \ Arquivos de Programas \ \ BitLord \ \ BitLord.exe" =
"C: \ \ Program Files \ \ Soulseek \ \ slsk.exe" =
"C: \ \ Arquivos de Programas \ \ Mozilla Firefox \ \ firefox.exe" =
"C: \ \ StubInstaller.exe" =
"C: \ \ Arquivos de Programas \ \ LimeWire \ \ LimeWire.exe" =
"% windir% \ \ Network Diagnostic \ \ xpnetdiag.exe" =
"C: \ \ Arquivos de Programas \ \ Messenger \ \ msmsgs.exe" =
"C: \ \ Arquivos de Programas \ \ AIM \ \ aim.exe" =
"C: \ Arquivos de Programas \ Microsoft ActiveSync \ rapimgr.exe" = C: \ Program Files \ Microsoft ActiveSync \ rapimgr.exe: 169.254.2.0/255.255.255.0: Enabled: ActiveSync RAPI Manager
"C: \ Arquivos de Programas \ Microsoft ActiveSync \ wcescomm.exe" = C: \ Program Files \ Microsoft ActiveSync \ wcescomm.exe: 169.254.2.0/255.255.255.0: Enabled: ActiveSync Connection Manager
"C: \ Arquivos de Programas \ Microsoft ActiveSync \ WCESMgr.exe" = C: \ Program Files \ Microsoft ActiveSync \ WCESMgr.exe: 169.254.2.0/255.255.255.0: Enabled: ActiveSync Application
"C: \ \ Arquivos de Programas \ \ Microsoft Office \ \ Office12 \ \ OUTLOOK.EXE" =
"C: \ \ Arquivos de Programas \ \ Microsoft Office \ \ Office12 \ \ GROOVE.EXE" =
"C: \ \ Arquivos de Programas \ \ Microsoft Office \ \ Office12 \ \ Onenote.exe" =
"C: \ \ Arquivos de Programas \ \ Isadora \ \ isadora.exe" =
"C: \ \ Arquivos de Programas \ \ Skype \ \ Phone \ \ Skype.exe" =
"C: \ \ Arquivos de Programas \ \ Bonjour \ \ mDNSResponder.exe" =
"C: \ \ Arquivos de Programas \ \ iTunes \ \ iTunes.exe" =

[HKLM \ ~ \ Services \ SharedAccess \ Parameters \ firewallpo licy \ standardprofile \ GloballyOpenPorts \ List]
"3389: TCP" = 3389: TCP: @ Xpsp2res.dll, -22.009
"1500: TCP" = 1500: TCP: Safe Access Agent Porto
"26675: TCP" = 26675: TCP: 169.254.2.0/255.255.255.0: Enabled: ActiveSync Service


* Serviço recém-criado * - CatchMe
* Serviço recém-criado * - PROCEXP90
.
Conteúdo da 'Tarefas agendadas' pasta
.
- - - - ÓRFÃOS REMOVIDO - - - --

HKLM-Run-CSRLT.EXE - C: \ WINDOWS \ system32 \ CSRLT.EXE


.
Scan Suplementar ------- -------
.
FireFox -: Profile - C: \ Documents and Settings \ Teddy \ Application Data \ Mozilla \ Firefox \ Profiles \ 6xzfp0sa.default \
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp: / / www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q =
.

************************************************** ************************

CatchMe 0.3.1361 W2K/XP/Vista - rootkit / stealth malware detector por Gmer, http://www.gmer.net
Rootkit scan 2008-09-16 16:51:46
5/1/2600 Windows Service Pack 2 NTFS

digitalizar processos escondidos ...

escaneamento automático entradas escondidas ...

digitalizar os arquivos ocultos ...

varredura foi concluída com êxito
ficheiros ocultos: 0

************************************************** ************************
.
Conclusão time: 2008-09-16 17:15:59
ComboFix-quarantined-files.txt 2008-09-16 21:15:16

Pré-Run: 10478669824 bytes livres
Post-Run: 10446106624 bytes livres

190 --- EOF --- 2008-09-11 20:07:51

[evilfantasy]

Nota: as instruções abaixo foram criados especificamente para este usuário. Se você não é esse usuário, NÃO siga estas instruções, uma vez que poderia danificar o funcionamento de seu sistema

Excluir esses arquivos / pastas, como se segue:

1. Ir para Iniciar > Correr > Tipo Notepad.exe e clique em OK para abrir o Bloco de Notas.
Ele deve ser Notepad, Wordpad não.
2. Copie o código abaixo o texto na caixa de realce todo o texto e pressionar Ctrl + C

Código:

Killall:: Arquivo:: C: \ Program Files \ Easy SpyRemover C: \ WINDOWS \ system32 \ LSSMON.EXE C: \ WINDOWS \ system32 \ LSASSMGR.EXE C: \ WINDOWS \ system32 \ msupd32.exe C: \ WINDOWS \ system32 \ upd01.exe C: \ WINDOWS \ system32 \ srtsrv32.exe C: \ WINDOWS \ system32 \ mssc32.dll C: \ WINDOWS \ system32 \ bsc32.dll Registry:: [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ imagem arquivo execução opções \ iexplore.exe] "Debugger" =- [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ imagem execução opções \ spoolsv.exe] "Debugger" =-

3. Vá até a janela e clique em Bloco de notas Editar > Colar
4. Em seguida, clique em Arquivo > Salvar
5. Nome do arquivo CFScript.txt - Salve o arquivo para o seu desktop
6. Em seguida, arraste o CFScript (mantenha o botão esquerdo do mouse ao arrastar o arquivo) e largá-la (liberar o botão esquerdo do mouse) em ComboFix.exe como você vê na imagem abaixo. Importante: Realize estas instruções cuidadosamente!



ComboFix irá começar a executar, basta seguir as instruções na tela.
Após o reboot (no caso ele pede para reiniciar), que irá produzir um log para você.
Post que log (Combofix.txt) em sua próxima resposta.

Nota: Não mouseclick ComboFix da janela enquanto ele está sendo executado. Isso pode fazer com que seu sistema de congelar

[teddynicholas]

ComboFix 08-09-15.02 - Teddy 2008-09-16 17:49:20.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.850 [GMT -4:00]
Executando de: C: \ Documents and Settings \ Teddy \ Desktop \ ComboFix.exe
Comando interruptores utilizados:: C: \ Documents and Settings \ Teddy \ Desktop \ CFScript.txt
* Criado um novo ponto restaurar

ATENÇÃO-ESTE NÃO TEM MÁQUINA DE RECUPERAÇÃO CONSOLE INSTALLED!
.

((((((((((((((((((((((((((((((((((((((( Outros Supressões ))))))))) ))))))))))))))))))))))))))))))))))))))))
.

C: \ WINDOWS \ system32 \ bsc32.dll
C: \ WINDOWS \ system32 \ LSASSMGR.EXE
C: \ WINDOWS \ system32 \ LSSMON.EXE
C: \ WINDOWS \ system32 \ mssc32.dll
C: \ WINDOWS \ system32 \ msupd32.exe
C: \ WINDOWS \ system32 \ spool.exe
C: \ WINDOWS \ system32 \ srtsrv32.exe
C: \ WINDOWS \ system32 \ upd01.exe

.
((((((((((((((((((((((((( Arquivos criados a partir de 2008/08/16 a 2008/09/16 ))))))))))) ))))))))))))))))))))
.

2008/09/16 16:21. 2008/09/16 16:50 <dir> d -------- C: \ WINDOWS \ system32 \ CatRoot_bak
2008/09/13 13:19. 2008/09/13 13:19 <dir> d -------- C: \ Program Files \ iTunes
2008/09/13 13:19. 2008/09/13 13:19 <dir> d -------- C: \ Program Files \ iPod
2008/09/13 13:19. 2008/09/13 13:19 <dir> d -------- C: \ Documents and Settings \ All Users \ Application Data \ (3276BE95_AF08_429F_A64F_CA64CB79BCF6)
2008/09/13 13:12. 2008/09/13 13:16 <dir> d -------- C: \ Program Files \ Common Files \ Apple
2008/09/08 16:10. 2008/09/08 16:10 <dir> d -------- C: \ Program Files \ Easy SpyRemover
2008/09/07 22:34. 2008/09/02 00:16 38,528 - a ------ C: \ WINDOWS \ system32 \ drivers \ mbamswissarmy.sys
2008/09/07 22:33. 2008/09/07 22:34 <dir> d -------- C: \ Program Files \ Malwarebytes' Anti-Malware
2008/09/07 22:33. 2008/09/07 22:33 <dir> d -------- C: \ Documents and Settings \ Teddy \ Application Data \ Malwarebytes
2008/09/07 22:33. 2008/09/07 22:33 <dir> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Malwarebytes
2008/09/07 22:33. 2008/09/02 00:16 17,200 - a ------ C: \ WINDOWS \ system32 \ drivers \ mbam.sys
2008/09/06 15:09. 2008/09/06 15:09 90,112 - a ------ C: \ WINDOWS \ system32 \ QuickTimeVR.qtx
2008/09/06 15:09. 2008/09/06 15:09 57,344 - a ------ C: \ WINDOWS \ system32 \ QuickTime.qts
2008/09/04 21:59. 2008/09/06 00:59 741,376 - a ------ C: \ WINDOWS \ divx32.dll
2008/09/02 13:23. 2008/09/02 13:23 <dir> d -------- C: \ Program Files \ PrevxCSI
2008/09/02 13:23. 2008/09/16 13:32 <dir> d -------- C: \ Documents and Settings \ All Users \ Application Data \ PrevxCSI
2008/09/02 13:23. 2008/09/02 13:23 17,408 - a ------ C: \ WINDOWS \ system32 \ drivers \ pxark.sys
2008/09/01 01:30. 2008/09/02 13:10 <dir> da ------ C: \ Documents and Settings \ All Users \ Application Data \ TEMP
2008/09/01 01:20. 2008-09-07 22:19 0 - a ------ C: \ WINDOWS \ system32 \ sc02.sc
2008/08/31 01:46. 2007/02/20 16:04 2463976 - a ------ C: \ WINDOWS \ system32 \ NPSWF32.dll
2008/08/31 01:46. 2007/02/20 16:04 190,696 - a ------ C: \ WINDOWS \ system32 \ NPSWF32_FlashUtil.exe
2008/08/30 09:59. 2008/08/30 21:34 <dir> d -------- C: \ Program Files \ Macromedia
2008/08/30 09:59. 2008/08/30 21:27 <dir> d -------- C: \ Program Files \ Common Files \ Macromedia
2008/08/30 01:25. 2008/09/13 13:18 <dir> d -------- C: \ Program Files \ Bonjour
2008/08/29 14:33. 2006/09/18 17:55 109,744 - a ------ C: \ WINDOWS \ system32 \ drivers \ Symevent.sys
2008/08/29 14:33. 2006/09/18 17:55 48,816 - a ------ C: \ WINDOWS \ system32 \ S32EVNT1.DLL
2008/08/29 10:18. 2008/08/29 10:18 87,336 - a ------ C: \ WINDOWS \ system32 \ dns-sd.exe
2008/08/29 09:53. 2008/08/29 09:53 61,440 - a ------ C: \ WINDOWS \ system32 \ dnssd.dll
2008/08/27 04:05. 2008/04/07 05:38 45,392-ra ------ C: \ WINDOWS \ system32 \ AdobePDF.dll
2008/08/27 04:05. 2008/04/07 05:38 22,872-ra ------ C: \ WINDOWS \ system32 \ AdobePDFUI.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))) ))))))))))))))))))))))))))))))))))))))))))))
.
2008/09/16 21:33 --------- d ----- w C: \ Program Files \ Symantec AntiVirus
2008/09/13 17:17 --------- d ----- w C: \ Program Files \ QuickTime
2008/09/13 17:13 --------- d ----- w C: \ Program Files \ Apple Software Update
2008/09/01 07:50 --------- d ----- w C: \ Documents and Settings \ All Users \ Application Data \ Spybot - Search & Destroy
2008/09/01 05:56 --------- d ----- w C: \ Arquivos de Programas \ Spybot - Search & Destroy
2008/08/30 05:24 --------- d ----- w C: \ Program Files \ Common Files \ Adobe
2008/08/29 18:34 --------- d ----- w C: \ Program Files \ Common Files \ Symantec Shared
2008/08/29 18:33 --------- d ----- w C: \ Program Files \ Symantec
2008/08/29 18:32 --------- d ----- w C: \ Documents and Settings \ All Users \ Application Data \ Symantec
2008/08/27 08:22 --------- d ----- w C: \ Documents and Settings \ All Users \ Application Data \ FLEXnet
2008/08/26 00:52 --------- d ----- w C: \ Documents and Settings \ Teddy \ Application Data \ OpenOffice.org2
2008/08/13 21:33 --------- d ----- w C: \ Program Files \ Microsoft Silverlight
2008/08/12 02:46 --------- d ----- w C: \ Program Files \ PHM
2008/07/26 08:55 --------- d ----- w C: \ Program Files \ OpenOffice.org 2/4
2008/07/26 08:54 --------- d ----- w C: \ Program Files \ Java
2008-04-19 16:57 32 ---- aw C: \ Documents and Settings \ All Users \ Application Data \ ezsid.dat
.

((((((((((((((((((((((((((((( Snapshot@2008-09-16_17.03.48.82 )))))))))) )))))))))))))))))))))))))))))))
.
- 2007/07/30 23:18:40 33,624-c - aw C: \ WINDOWS \ system32 \ dllcache \ wups.dll
+ 2008-07-19 02:10:20 36.552-c - aw C: \ WINDOWS \ system32 \ dllcache \ wups.dll
- 2007/07/30 23:18:40 33,624 ---- aw C: \ WINDOWS \ system32 \ wups.dll
+ 2008-07-19 02:10:20 36.552 ---- aw C: \ WINDOWS \ system32 \ wups.dll
- 2007/07/30 23:19:12 43,352 ---- aw C: \ WINDOWS \ system32 \ wups2.dll
+ 2008-07-19 02:10:40 45.768 ---- aw C: \ WINDOWS \ system32 \ wups2.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))) ))))))))))))))))))))))))))))))))))))))))
.
.
* Nota * entradas vazias & legit entradas padrão não são mostrados
REGEDIT4

[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ actuais ntVersion \ Run]
"swg" = "C: \ Program Files \ Google \ GoogleToolbarNotifier \ GoogleToolbarNo tifier.exe" [2007-04-02 68856]
"QuickTime Task" = "C: \ Program Files \ QuickTime \ qttask.exe" [2008-09-06 413696]
"H / PC Connection Agent" = "C: \ Program Files \ Microsoft ActiveSync \ wcescomm.exe" [2006-11-13 1289000]
"ctfmon.exe" = "C: \ WINDOWS \ system32 \ ctfmon.exe" [2004-08-04 15360]
"IndxStoreSvr_ (79662E04-7C6C-4d9f-84C7-88D8A56B10AA)" = "C: \ Program Files \ Common Files \ Nero \ Lib \ NMIndexStoreSvr.exe" [2008-02-28 1828136]
"SpybotSD TeaTimer" = "C: \ Arquivos de Programas \ Spybot - Search & Destroy \ TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Run]
"RemoteControl" = "C: \ Program Files \ CyberLink \ PowerDVD \ PDVDServ.exe" [2004-05-14 32768]
"RoxioEngineUtility" = "C: \ Program Files \ Common Files \ Roxio Shared \ System \ EngUtil.exe" [2003-05-01 65536]
"RoxioAudioCentral" = "C: \ Program Files \ Roxio \ Easy CD Creator 6 \ AudioCentral \ RxMon.exe" [2003-07-15 319488]
"SiS Windows KeyHook" = "C: \ WINDOWS \ system32 \ keyhook.exe" [2004-09-02 249856]
"SiSUSBRG" = "C: \ WINDOWS \ SiSUSBrg.exe" [2004-09-22 106496]
"Apoint" = "C: \ Program Files \ Apoint2K \ Apoint.exe" [2003-12-05 159744]
"SunJavaUpdateSched" = "C: \ Program Files \ Java \ jre1.6.0_07 \ bin \ jusched.exe" [2008-06-10 144784]
"DSFHost" = "C: \ Program Files \ Staples \ easyprint \ dsfhost.exe" [2006-01-05 2142301]
"Synchronization Manager" = "C: \ WINDOWS \ system32 \ mobsync.exe" [2004-08-04 143360]
"Zune Launcher" = "C: \ Program Files \ Zune \ ZuneLauncher.exe" [2007-03-14 24104]
"GrooveMonitor" = "C: \ Program Files \ Microsoft Office \ Office12 \ GrooveMonitor.exe" [2006-10-27 31016]
"Adobe Reader Speed Launcher" = "C: \ Arquivos de Programas \ Adobe \ Reader 8.0 \ Reader \ Reader_sl.exe" [2008-01-11 39792]
"NeroFilterCheck" = "C: \ Program Files \ Common Files \ Nero \ Lib \ NeroCheck.exe" [2008-02-28 570664]
"NBKeyScan" = "C: \ Arquivos de Programas \ Nero \ Nero8 \ Nero BackItUp \ NBKeyScan.exe" [2008-02-18 2221352]
"Adobe Acrobat Speed Launcher" = "C: \ Arquivos de Programas \ Adobe \ Acrobat 9.0 \ Acrobat \ Acrobat_sl.exe" [2008-06-12 37232]
"ccApp" = "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe" [2006-07-19 52896]
"vptray" = "C: \ PROGRA ~ 1 \ SYMANT ~ 1 \ VPTray.exe" [2006-09-27 125168]
"iTunesHelper" = "C: \ Program Files \ iTunes \ iTunesHelper.exe" [2008-09-10 289576]
"CSRLT.EXE" = "C: \ WINDOWS \ system32 \ CSRLT.EXE" [BU]
"Engenheiro de gravação de som" = "SOUNDMAN.EXE" [2004/09/22 C: \ WINDOWS \ SOUNDMAN.EXE]
"AGRSMMSG" = "AGRSMMSG.exe" [2004/09/22 C: \ WINDOWS \ AGRSMMSG.exe]
"SiSPower" = "SiSPower.dll" [2004/09/22 C: \ WINDOWS \ system32 \ SiSPower.dll]

C: \ Documents and Settings \ Teddy \ Menu Iniciar \ Programas \ Startup \
Adobe Gamma.lnk - C: \ Program Files \ Common Files \ Adobe \ Calibration \ Adobe Gamma Loader.exe [2005-03-16 113664]
OneNote 2007 Screen Clipper e Launcher.lnk - C: \ Arquivos de Programas \ Microsoft Office \ Office12 \ ONENOTEM.EXE [2006-10-26 98632]

C: \ Documents and Settings \ All Users \ Menu Iniciar \ Programas \ Startup \
Windows Desktop Search - C: \ Program Files \ Windows Desktop Search \ WindowsSearch.exe [2007/02/05 118784]

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entversion \ explorer \ ShellExecuteHooks]
"(56F9679E-7826-4C84-81F3-532071A8BCC5)" = "C: \ Program Files \ Windows Desktop Search \ MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Windows]
"AppInit_DLLs" = acaptuser32.dll

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ imagem execução opções \ firefox.exe]
"Debugger" = C: \ Program Files \ Mozilla Firefox \ firefoxe.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Security Center \ Monitoring \ SymantecAntiVirus]
"DisableMonitoring" = dword: 00000001

[HKLM \ ~ \ Services \ SharedAccess \ Parameters \ firewallpo licy \ standardprofile \ AuthorizedApplications \ List]
"% windir% \ \ system32 \ \ Sessmgr.exe" =
"C: \ \ Program Files \ \ Common Files \ AOL \ \ Loader \ \ aolload.exe" =
"C: \ \ Arquivos de Programas \ \ BitLord \ \ BitLord.exe" =
"C: \ \ Program Files \ \ Soulseek \ \ slsk.exe" =
"C: \ \ Arquivos de Programas \ \ Mozilla Firefox \ \ firefox.exe" =
"C: \ \ StubInstaller.exe" =
"C: \ \ Arquivos de Programas \ \ LimeWire \ \ LimeWire.exe" =
"% windir% \ \ Network Diagnostic \ \ xpnetdiag.exe" =
"C: \ \ Arquivos de Programas \ \ Messenger \ \ msmsgs.exe" =
"C: \ \ Arquivos de Programas \ \ AIM \ \ aim.exe" =
"C: \ Arquivos de Programas \ Microsoft ActiveSync \ rapimgr.exe" = C: \ Program Files \ Microsoft ActiveSync \ rapimgr.exe: 169.254.2.0/255.255.255.0: Enabled: ActiveSync RAPI Manager
"C: \ Arquivos de Programas \ Microsoft ActiveSync \ wcescomm.exe" = C: \ Program Files \ Microsoft ActiveSync \ wcescomm.exe: 169.254.2.0/255.255.255.0: Enabled: ActiveSync Connection Manager
"C: \ Arquivos de Programas \ Microsoft ActiveSync \ WCESMgr.exe" = C: \ Program Files \ Microsoft ActiveSync \ WCESMgr.exe: 169.254.2.0/255.255.255.0: Enabled: ActiveSync Application
"C: \ \ Arquivos de Programas \ \ Microsoft Office \ \ Office12 \ \ OUTLOOK.EXE" =
"C: \ \ Arquivos de Programas \ \ Microsoft Office \ \ Office12 \ \ GROOVE.EXE" =
"C: \ \ Arquivos de Programas \ \ Microsoft Office \ \ Office12 \ \ Onenote.exe" =
"C: \ \ Arquivos de Programas \ \ Isadora \ \ isadora.exe" =
"C: \ \ Arquivos de Programas \ \ Skype \ \ Phone \ \ Skype.exe" =
"C: \ \ Arquivos de Programas \ \ Bonjour \ \ mDNSResponder.exe" =
"C: \ \ Arquivos de Programas \ \ iTunes \ \ iTunes.exe" =

[HKLM \ ~ \ Services \ SharedAccess \ Parameters \ firewallpo licy \ standardprofile \ GloballyOpenPorts \ List]
"3389: TCP" = 3389: TCP: @ Xpsp2res.dll, -22.009
"1500: TCP" = 1500: TCP: Safe Access Agent Porto
"26675: TCP" = 26675: TCP: 169.254.2.0/255.255.255.0: Enabled: ActiveSync Service

R0 pxark; pxark; C: \ WINDOWS \ system32 \ drivers \ pxark.sys [2008-09-02 17408]
R2 CSIScanner; CSIScanner; C: \ Program Files \ PrevxCSI \ prevxcsi.exe [2008/09/02 618040]
R2 SafeAccessAgent; acesso seguro Agent; C: \ Program Files \ StillSecure \ Safe Access Agent \ SAService.exe [2006-01-27 880640]
R2 Viewpoint Manager Service; Viewpoint Manager Service; C: \ Program Files \ Viewpoint \ Common \ ViewpointService.exe [2007-01-04 24652]
S3 HwIOctl; HwIOctl; C: \ Documents and Settings \ Proprietário \ Desktop \ HwIOctl.sys []
S3 Ktp3; Elantech touchpad (KTP3); C: \ WINDOWS \ system32 \ DRIVERS \ Ktp3.sy s [2004-09-22 24704]
S3 Memctl; Memctl; C: \ Documents and Settings \ Proprietário \ Desktop \ Memctl.sys []
.
Conteúdo da 'Tarefas agendadas' pasta
.
- - - - ÓRFÃOS REMOVIDO - - - --

HKLM-Run-Layersecurity Servicemonitor - C: \ WINDOWS \ system32 \ LSSMON.EXE
HKLM-RunOnce-MSBLT.EXE - C: \ WINDOWS \ MSBLT.EXE



************************************************** ************************

CatchMe 0.3.1361 W2K/XP/Vista - rootkit / stealth malware detector por Gmer, http://www.gmer.net
Rootkit scan 2008-09-16 18:00:27
5/1/2600 Windows Service Pack 2 NTFS

digitalizar processos escondidos ...

escaneamento automático entradas escondidas ...

digitalizar os arquivos ocultos ...


************************************************** ************************
.
------------------------ Other Running Processes ----------------------- --
.
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Program Files \ Lavasoft \ Ad-Aware 2007 \ aawservice.exe
C: \ Program Files \ Common Files \ Apple \ Mobile Device Support \ bin \ AppleMobileDeviceService.exe
C: \ Program Files \ Symantec \ LiveUpdate \ AluSchedulerSvc.exe
C: \ Program Files \ Bonjour \ mDNSResponder.exe
C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
C: \ Arquivos de Programas \ Nero \ Nero8 \ Nero BackItUp \ NBService.exe
C: \ WINDOWS \ system32 \ IoctlSvc.exe
C: \ WINDOWS \ system32 \ Mspmspsv.exe
C: \ WINDOWS \ system32 \ searchindexer.exe
C: \ Program Files \ Viewpoint \ Viewpoint Manager \ ViewMgr.exe
C: \ WINDOWS \ system32 \ rundll32.exe
C: \ PROGRA ~ 1 \ MICROS ~ 3 \ rapimgr.exe
C: \ Program Files \ Roxio \ Easy CD Creator 6 \ AudioCentral \ Playlist.exe
C: \ Program Files \ Apoint2K \ ApntEx.exe
C: \ Program Files \ Common Files \ Nero \ Lib \ NMIndexingService.exe
C: \ Program Files \ iPod \ bin \ iPodService.exe
C: \ WINDOWS \ system32 \ SearchProtocolHost.exe
C: \ WINDOWS \ system32 \ searchfilterhost.exe
.
************************************************** ************************
.
Conclusão time: 2008-09-16 18:24:56 - máquina foi reinicializada
ComboFix-quarantined-files.txt 2008-09-16 22:23:49
ComboFix2.txt 2008-09-16 21:16:14

Pré-Run: 10626510848 bytes livres
Post-Run: 10616803328 bytes livres

205 --- EOF --- 2008-09-11 20:07:51

[evilfantasy]

Baixar TrendMicro HijackThis.exe (HJT) ao desktop.

• Dê um duplo clique sobre HJTInstall.
• Clique sobre a Instalar botão.
• Será automaticamente no lugar HJT C: \ Program Files \ TrendMicro \ HijackThis \ HijackThis.exe.
• Após a instalação, HijackThis deve abrir para você.
• Clique sobre a Faça um sistema de digitalizar e salvar um arquivo de log botão
• HijackThis fará a varredura e, em seguida, será aberto um log no Bloco de Notas.
• Copie e cole todo o conteúdo do log em sua postagem.
• Não HijackThis correção tem nada ainda. A maior parte do que ele encontra serão inofensivos ou até mesmo necessária.

[teddynicholas]

Logfile da Trend Micro HijackThis v2.0.2
Scan guardado em 12:21:04, em 9/23/2008
Plataforma: Windows XP SP2 (WinNT 5/01/2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Executando processos:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ Services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Program Files \ Lavasoft \ Ad-Aware 2007 \ aawservice.exe
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ Program Files \ Common Files \ Apple \ Mobile Device Support \ bin \ AppleMobileDeviceService.exe
C: \ Program Files \ Symantec \ LiveUpdate \ ALUSchedulerSvc.exe
C: \ Program Files \ PrevxCSI \ prevxcsi.exe
C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
C: \ Arquivos de Programas \ Nero \ Nero8 \ Nero BackItUp \ NBService.exe
C: \ WINDOWS \ system32 \ IoctlSvc.exe
C: \ Program Files \ StillSecure \ Safe Access Agent \ SAService.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ Program Files \ Viewpoint \ Common \ ViewpointService.exe
C: \ WINDOWS \ system32 \ Mspmspsv.exe
C: \ WINDOWS \ system32 \ SearchIndexer.exe
C: \ WINDOWS \ Explorer.EXE
C: \ Program Files \ PrevxCSI \ prevxcsi.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ Program Files \ CyberLink \ PowerDVD \ PDVDServ.exe
C: \ WINDOWS \ SOUNDMAN.EXE
C: \ WINDOWS \ system32 \ keyhook.exe
C: \ Program Files \ Apoint2K \ Apoint.exe
C: \ Program Files \ Java \ jre1.6.0_07 \ bin \ jusched.exe
C: \ Program Files \ Staples \ easyprint \ dsfhost.exe
C: \ Program Files \ Zune \ ZuneLauncher.exe
C: \ Program Files \ Microsoft Office \ Office12 \ GrooveMonitor.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe
C: \ Program Files \ iTunes \ iTunesHelper.exe
C: \ Program Files \ Apoint2K \ Apntex.exe
C: \ Program Files \ Google \ GoogleToolbarNotifier \ GoogleToolbarNo tifier.exe
C: \ Program Files \ Microsoft ActiveSync \ wcescomm.exe
C: \ Program Files \ Common Files \ Nero \ Lib \ NMIndexStoreSvr.exe
C: \ PROGRA ~ 1 \ MICROS ~ 3 \ rapimgr.exe
C: \ Program Files \ Common Files \ Nero \ Lib \ NMIndexingService.exe
C: \ Program Files \ iPod \ bin \ iPodService.exe
C: \ Program Files \ Viewpoint \ Viewpoint Manager \ ViewMgr.exe
C: \ Arquivos de Programas \ Adobe \ Acrobat 9.0 \ Acrobat \ AcroTray.exe
C: \ Program Files \ Common Files \ Macrovision Shared \ FLEXnet Publisher \ FNPLicensingService.exe
C: \ WINDOWS \ system32 \ taskmgr.exe
C: \ WINDOWS \ lsass.exe
C: \ WINDOWS \ system32 \ SPOOLER.EXE
C: \ WINDOWS \ system32 \ wscntfy.exe
C: \ WINDOWS \ system32 \ ctfmon.exe
C: \ Program Files \ Trend Micro \ HijackThis \ HijackThis.exe
C: \ WINDOWS \ system32 \ SearchProtocolHost.exe

R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main, Start Page = http://www.averatec.com
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU \ Software \ Microsoft \ Internet Connection Wizard, ShellNext = http://oqaserver-a/
R1 - HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Int ernet Settings, ProxyOverride = *. local
O2 - BHO: Yahoo! Toolbar Helper - (02478D38-C3F9-4EFB-9B51-7695ECA05670) - C: \ Program Files \ Yahoo! \ Companion \ installs \ CPN \ yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - (06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) - C: \ Program Files \ Common Files \ Adobe \ Acrobat \ ActiveX \ AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - (18DF081C-E8AD-4283-A596-FA578C2EBDC3) - C: \ Program Files \ Common Files \ Adobe \ Acrobat \ ActiveX \ AcroIEHelperShim.dll
O2 - BHO: Spybot-S & D IE Protection - (53707962-6F74-2D53-2644-206D7942484F) - C: \ PROGRA ~ 1 \ SpyBot ~ 1 \ SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - (72853161-30C5-4D22-B7F9-0BBC1D38A37E) - C: \ PROGRA ~ 1 \ MICROS ~ 4 \ Office12 \ GRA8E1 ~ 1.DLL
O2 - BHO: SSVHelper Class - (761497BB-D6F0-462C-B6EB-D4DAF1D92D43) - C: \ Program Files \ Java \ jre1.6.0_07 \ bin \ ssv.dll
O2 - BHO: AOL Toolbar Launcher - (7C554162-8CB7-45A4-B8F4-8EA1C75885F9) - C: \ Program Files \ AOL \ AOL Toolbar 2.0 \ aoltb.dll
O2 - BHO: Viewpoint Toolbar BHO - (A7327C09-B521-4EDB-8509-7D2660C9EC98) - C: \ Program Files \ Viewpoint \ Viewpoint Toolbar \ 3.8.0 \ ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - (AA58ED58-01DD-4d91-8333-CF10577473F7) - c: \ arquivos de programas \ google \ googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - (AE7CD045-E861-484f-8273-0445EE161910) - C: \ Program Files \ Common Files \ Adobe \ Acrobat \ ActiveX \ AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - (AF69DE43-7D58-4638-B6FA-CE66B5AD205D) - C: \ Program Files \ Google \ GoogleToolbarNotifier \ 3.1.807.1746 \ sw g.dll
O2 - BHO: SmartSelect - (F4971EE7-DAA0-4053-9964-665D8EE6A077) - C: \ Program Files \ Common Files \ Adobe \ Acrobat \ ActiveX \ AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - (EF99BD32-C1FB-11D2-892F-0090271D4F88) - C: \ Program Files \ Yahoo! \ Companion \ installs \ CPN \ yt.dll
O3 - Toolbar: & Google - (2318C2B1-4965-11D4-9B18-009027A5CD4F) - c: \ arquivos de programas \ google \ googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - (DE9C389F-3316-41A7-809B-AA305ED9D922) - C: \ Program Files \ AOL \ AOL Toolbar 2.0 \ aoltb.dll
O3 - Toolbar: Viewpoint Toolbar - (F8AD5AA5-D966-4667-9DAF-2561D68B2012) - C: \ Program Files \ Common Files \ Viewpoint \ Toolbar Runtime \ 3.8.0 \ IEViewBar.dll
O3 - Toolbar: Adobe PDF - (47833539-D0C5-4125-9FA8-0819E2EAAC93) - C: \ Program Files \ Common Files \ Adobe \ Acrobat \ ActiveX \ AcroIEFavClient.dll
O4 - HKLM \ .. \ Run: [RemoteControl] "C: \ Program Files \ CyberLink \ PowerDVD \ PDVDServ.exe"
O4 - HKLM \ .. \ Run: [RoxioEngineUtility] "C: \ Program Files \ Common Files \ Roxio Shared \ System \ EngUtil.exe"
O4 - HKLM \ .. \ Run: [RoxioAudioCentral] "C: \ Program Files \ Roxio \ Easy CD Creator 6 \ AudioCentral \ RxMon.exe"
O4 - HKLM \ .. \ Run: [engenheiro de gravação de som] SOUNDMAN.EXE
O4 - HKLM \ .. \ Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM \ .. \ Run: [SiSPower] Rundll32.exe SiSPower.dll, ModeAgent
O4 - HKLM \ .. \ Run: [SiS Windows KeyHook] C: \ WINDOWS \ system32 \ keyhook.exe
O4 - HKLM \ .. \ Run: [SiSUSBRG] C: \ WINDOWS \ SiSUSBrg.exe
O4 - HKLM \ .. \ Run: [Apoint] C: \ Program Files \ Apoint2K \ Apoint.exe
O4 - HKLM \ .. \ Run: [SunJavaUpdateSched] "C: \ Program Files \ Java \ jre1.6.0_07 \ bin \ jusched.exe"
O4 - HKLM \ .. \ Run: [DSFHost] C: \ Program Files \ Staples \ easyprint \ dsfhost.exe
O4 - HKLM \ .. \ Run: [Synchronization Manager]% SystemRoot% \ system32 \ mobsync.exe / logon
O4 - HKLM \ .. \ Run: [Zune Launcher] "C: \ Program Files \ Zune \ ZuneLauncher.exe"
O4 - HKLM \ .. \ Run: [GrooveMonitor] "C: \ Program Files \ Microsoft Office \ Office12 \ GrooveMonitor.exe"
O4 - HKLM \ .. \ Run: [Adobe Reader Speed Launcher] "C: \ Arquivos de Programas \ Adobe \ Reader 8.0 \ Reader \ Reader_sl.exe"
O4 - HKLM \ .. \ Run: [NeroFilterCheck] C: \ Program Files \ Common Files \ Nero \ Lib \ NeroCheck.exe
O4 - HKLM \ .. \ Run: [NBKeyScan] "C: \ Arquivos de Programas \ Nero \ Nero8 \ Nero BackItUp \ NBKeyScan.exe"
O4 - HKLM \ .. \ Run: [Adobe Acrobat Speed Launcher] "C: \ Arquivos de Programas \ Adobe \ Acrobat 9.0 \ Acrobat \ Acrobat_sl.exe"
O4 - HKLM \ .. \ Run: [ccApp] "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe"
O4 - HKLM \ .. \ Run: [vptray] C: \ PROGRA ~ 1 \ SYMANT ~ 1 \ VPTray.exe
O4 - HKLM \ .. \ Run: [iTunesHelper] "C: \ Program Files \ iTunes \ iTunesHelper.exe"
O4 - HKLM \ .. \ Run: [Layersecurity Servicemonitor] C: \ WINDOWS \ system32 \ LSSMON.EXE
O4 - HKLM \ .. \ Run: [Print Spooler] C: \ WINDOWS \ system32 \ SPOOLER.EXE
O4 - HKCU \ .. \ Run: [swg] C: \ Arquivos de Programas \ Google \ GoogleToolbarNotifier \ GoogleToolbarNo tifier.exe
O4 - HKCU \ .. \ Run: [QuickTime Task] "C: \ Program Files \ QuickTime \ qttask.exe"-atboottime
O4 - HKCU \ .. \ Run: [H / PC Connection Agent] "C: \ Program Files \ Microsoft ActiveSync \ wcescomm.exe"
O4 - HKCU \ .. \ Run: [ctfmon.exe] C: \ WINDOWS \ system32 \ ctfmon.exe
O4 - HKCU \ .. \ Run: [IndxStoreSvr_ (79662E04-7C6C-4d9f-84C7-88D8A56B10AA)] "C: \ Program Files \ Common Files \ Nero \ Lib \ NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F -39A1E5104020
O4 - HKCU \ .. \ Run: [SpybotSD TeaTimer] C: \ Arquivos de Programas \ Spybot - Search & Destroy \ TeaTimer.exe
O4 - HKCU \ .. \ Run: [AdobeUpdater] C: \ Program Files \ Common Files \ Adobe \ Updater \ AdobeUpdater.exe
O4 - HKLM \ .. \ Policies \ Explorer \ Run: [LocalSecurityAuthoritySubsystem] C: \ WINDOWS \ lsass.exe
O4 - Startup: Adobe Gamma.lnk = C: \ Program Files \ Common Files \ Adobe \ Calibration \ Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper e Launcher.lnk = C: \ Arquivos de Programas \ Microsoft Office \ Office12 \ ONENOTEM.EXE
O4 - Global Startup: Windows Desktop Search = C: \ Program Files \ Windows Desktop Search \ WindowsSearch.exe
O8 - Extra context menu item: & AOL Toolbar Search - C: \ Program Files \ aol \ aol toolbar 2.0 \ recursos \ en-US \ local \ search.html
O8 - Extra context menu item: Append Link Target para Existing PDF - res: / / C: \ Program Files \ Common Files \ Adobe \ Acrobat \ ActiveX \ AcroIEFavClient.dll / AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res: / / C: \ Program Files \ Common Files \ Adobe \ Acrobat \ ActiveX \ AcroIEFavClient.dll / AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res: / / C: \ Program Files \ Common Files \ Adobe \ Acrobat \ ActiveX \ AcroIEFavClient.dll / AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converter em Adobe PDF - res: / / C: \ Program Files \ Common Files \ Adobe \ Acrobat \ ActiveX \ AcroIEFavClient.dll / AcroIECapture.html
O8 - Extra context menu item: E & xportar para o Microsoft Excel - res: / / C: \ PROGRA ~ 1 \ MICROS ~ 4 \ Office12 \ EXCEL.EXE/3000
O9 - Extra button: (no name) - (08B0E5C0-4FCB-11CF-AAA5-00401C608501) - C: \ Program Files \ Java \ jre1.6.0_07 \ bin \ ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - (08B0E5C0-4FCB-11CF-AAA5-00401C608501) - C: \ Program Files \ Java \ jre1.6.0_07 \ bin \ ssv.dll
O9 - Extra button: Enviar para o OneNote - (2670000A-7350-4f3c-8081-5663EE0C6C49) - C: \ PROGRA ~ 1 \ MICROS ~ 4 \ Office12 \ ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S & final para o OneNote - (2670000A-7350-4f3c-8081-5663EE0C6C49) - C: \ PROGRA ~ 1 \ MICROS ~ 4 \ Office12 \ ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - (2EAF5BB1-070F-11D3-9307-00C04FAE2D4F) - C: \ PROGRA ~ 1 \ MICROS ~ 3 \ INetRepl.dll
O9 - Extra button: (no name) - (2EAF5BB2-070F-11D3-9307-00C04FAE2D4F) - C: \ PROGRA ~ 1 \ MICROS ~ 3 \ INetRepl.dll
O9 - Extra 'Tools' menuitem: Criar Favorito Móvel ... - (2EAF5BB2-070F-11D3-9307-00C04FAE2D4F) - C: \ PROGRA ~ 1 \ MICROS ~ 3 \ INetRepl.dll
O9 - Extra button: AOL Toolbar - (3369AF0D-62E9-4bda-8103-B4C75499B578) - C: \ Program Files \ AOL \ AOL Toolbar 2.0 \ aoltb.dll
O9 - Extra button: Research - (92780B25-18CC-41C8-B9BE-3C9C571A8263) - C: \ PROGRA ~ 1 \ MIC273 ~ 1 \ Office12 \ REFIEBAR.DLL
O9 - Extra button: AIM - (AC9E2541-2814-11d5-BC6D-00B0D0A1DE45) - C: \ Program Files \ AIM \ aim.exe
O9 - Extra button: (no name) - (DFB852A3-47F8-48C4-A200-58CAB36FD2A2) - C: \ PROGRA ~ 1 \ SpyBot ~ 1 \ SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - (DFB852A3-47F8-48C4-A200-58CAB36FD2A2) - C: \ PROGRA ~ 1 \ SpyBot ~ 1 \ SDHelper.dll
O9 - Extra button: Messenger - (FB5F1910-F110-11d2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - (FB5F1910-F110-11d2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL = http://www.averatec.com
O16 - DPF: (0D6BB8B8-0257-420C-B9EB-CFA90DB1026C) -- http://svrnsec01.purchase.edu:88/setup.cab
O16 - DPF: (6414512B-B978-451D-A0D8-FCFDF33E833C) (WUWebControl Class) -- http://v5.windowsupdate.microsoft.co...?1096453339343
O18 - Protocol: grooveLocalGWS - (88FED34C-F0CA-4636-A375-3CB6248B04CD) - C: \ PROGRA ~ 1 \ MICROS ~ 4 \ Office12 \ GR99D3 ~ 1.DLL
O18 - Protocol: skype4com - (FFC8B962-9B40-4DFF-9458-1830C7DD7F5D) - C: \ PROGRA ~ 1 \ common ~ 1 \ Skype \ SKYPE4 ~ 1.DLL
O20 - AppInit_DLLs: acaptuser32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C: \ Program Files \ Lavasoft \ Ad-Aware 2007 \ aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C: \ Program Files \ Common Files \ Adobe Systems Shared \ Service \ Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C: \ Program Files \ Common Files \ Apple \ Mobile Device Support \ bin \ AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C: \ Program Files \ Symantec \ LiveUpdate \ ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C: \ Program Files \ Bonjour \ mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
O23 - Service: CSIScanner - Prevx - C: \ Program Files \ PrevxCSI \ prevxcsi.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C: \ Program Files \ Common Files \ Macrovision Shared \ FLEXnet Publisher \ FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C: \ Program Files \ Google \ Common \ Google Updater \ GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C: \ Program Files \ Common Files \ InstallShield \ Driver \ 11 \ Intel 32 \ IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C: \ Program Files \ iPod \ bin \ iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C: \ PROGRA ~ 1 \ Symantec \ LIVEUP ~ 1 \ LUCOMS ~ 1.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C: \ Arquivos de Programas \ Nero \ Nero8 \ Nero BackItUp \ NBService.exe
O23 - Service: NMIndexingService - Nero AG - C: \ Program Files \ Common Files \ Nero \ Lib \ NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C: \ WINDOWS \ system32 \ IoctlSvc.exe
O23 - Serviço: Safe Access (Agente SafeAccessAgent) - StillSecure - C: \ Program Files \ StillSecure \ Safe Access Agent \ SAService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ Security Center \ SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C: \ Program Files \ Viewpoint \ Common \ ViewpointService.exe

--
Fim do arquivo - 14719 bytes

[evilfantasy]

Baixar Malwarebytes' Anti-Malware (MBAM)

• Dê um clique duplo mbam-setup.exe e siga as instruções para instalar o programa.
• Ao final, certifique-se de uma marca de verificação é colocada ao lado da seguinte forma:
  • Actualizar Malwarebytes' Anti-Malware
  • Lançamento Malwarebytes' Anti-Malware
• Em seguida, clique em Concluir.
• Se uma atualização for encontrada, ela vai baixar e instalar a versão mais recente.
• Uma vez carregado o programa, selecione Execute verificação rápidaE, em seguida, clique em Scan.
• Quando a pesquisa estiver concluída, clique em OKE, em seguida, Mostrar resultados para ver os resultados.
• Tenha certeza de que tudo está marcada, e clique em Remover Selecionados.
• Desinfecção Quando estiver concluída, será aberto um log no Bloco de Notas e você pode ser solicitado a reiniciar. (Veja Nota Extra)
• O log é automaticamente salvo pelo MBAM e pode ser visualizada clicando no separador no MBAM Logs.
• Copie e cole todo o relatório em sua próxima resposta.

Nota adicional: Se MBAM encontrar um arquivo que é difícil de remover, você será presenteado com 1 de 2 solicitações, clique em OK para deixar MBAM e quer avançar com o processo de desinfecção, se solicitado para reiniciar o computador, faça-o imediatamente.

----------


Agora execute uma nova varredura HijackThis e postar o log, juntamente com o MBAM log.