Olá,
Não consegui abrir o hijackthis, mas posto o arquivo do Silent Runners.
"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Secure64" = "C:\WINDOWS\system32\dllcache\Regedit32.com StartUp" [null data]
"Secure32" = "C:\WINDOWS\system32\dllcache\Shell32.com StartUp" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"AlcWzrd" = "ALCWZRD.EXE" ["RealTek Semicoductor Corp."]
"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"Acrobat Assistant 8.0" = ""C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"" ["Adobe Systems Inc."]
"Blank AntiViri" = "C:\AUT0EXEC.BAT StartUp" [null data]
"High Definition Audio Property Page Shortcut" = "HDAShCut.exe" ["Windows ® Server 2003 DDK provider"]
"services" = ""C:\WINDOWS\system326382F3C\Services.exe"" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{0347C33E-8762-4905-BF09-768834316C61}\(Default) = "HP Print Enhancer"
-> {HKLM...CLSID} = "HP Print Enhancer"
\InProcServer32\(Default) = "C:\Arquivos de programas\Hewlett-Packard\Smart Web Printing\hpswp_printenhancer.dll" ["Hewlett-Packard Co."]
{053F9267-DC04-4294-A72C-58F732D338C0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "HP Print Clips"
\InProcServer32\(Default) = "C:\Arquivos de programas\Hewlett-Packard\Smart Web Printing\hpswp_framework.dll" ["Hewlett-Packard Co."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper"
\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensão do 'Painel de controle' para panorâmica de vídeo"
-> {HKLM...CLSID} = "Extensão do 'Painel de controle' para panorâmica de vídeo"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensão de ícone do HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Pasta de Uploads Share-to-Web"
-> {HKLM...CLSID} = "Pasta de Uploads Share-to-Web"
\InProcServer32\(Default) = "C:\Arquivos de programas\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" ["Alexander Roshal"]
HKLM\SOFTWA RE\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "Userinit" = "C:\WINDOWS\system32\userinit.exe, "C:\WINDOWS\system32\M5VBVM60.EXE StartUp"" [MS], [file not found], [file not found]
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\
<<!>> "AlternateShell" = "C:\AUT0EXEC.BAT StartUp" [null data]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" ["Alexander Roshal"]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" ["Alexander Roshal"]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" ["Alexander Roshal"]
HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Default executables:
--------------------
HKLM\SOFTWARE\Classes\.com\(Default) = "comfile"
<<!>> HKLM\SOFTWARE\Classes\comfile\shell\open\command\(Default) = "C:\WINDOWS\system32\rund1132.exe %1" [null data]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoFolderOptions" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|Windows Components|Windows Explorer|
Removes the Folder Options menu item from the Tools menu}
"NoRun" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"NoFind" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"NoClose" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Alegria.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
BridgeCS3ImportMediaOnArrival\
"Provider" = "Adobe Bridge CS3"
"InvokeProgID" = "Adobe.adobebridge"
"InvokeVerb" = "launch"
HKLM\SOFTWARE\Classes\Adobe.adobebridge\shell\launch\command\(Default) = "C:\Arquivos de programas\Adobe\Adobe Bridge CS3\bridgeproxy.exe -v %1" ["Adobe Systems, Inc."]
HPAutoplayPSE\
"Provider" = "HP Photosmart Essential 2.01"
"InvokeProgID" = "HpqPSApl.Autoplay"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\HpqPSApl.Autoplay\shell\Play\DropTarget\CLSID = "{A6873065-D632-4615-A3A9-C5F05EE109C1}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = "C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\HpqPsApl.exe" ["Hewlett-Packard"]
NeroAutoPlayEmptyCD\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay"
"InvokeVerb" = "EmptyCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay\shell\EmptyCD\command\(Default) = ""C:\Arquivos de programas\Ahead\nero startsmart\nerostartsmart.exe" /Drive:%L" ["Ahead Software AG"]
NeroAutoPlayVideoDVD\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay"
"InvokeVerb" = "VideoDVD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay\shell\VideoDVD\command\(Default) = ""C:\Arquivos de programas\Ahead\nero startsmart\nerostartsmart.exe" /Drive:%L" ["Ahead Software AG"]
Startup items in "DIJr" & "All Users" startup folders:
------------------------------------------------------
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar
"Suitcase 11.0" -> shortcut to: "C:\WINDOWS\Installer\{7451C9B5-3E10-4E59-AD37-AB7438D84288}\_01D57C9244869186542E24.exe -Startup" [null data]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Arquivos de programas\Extensis\Extensis Suitcase 11\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Arquivos de programas\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: SEARCH_PAGE_URL="&http://home.microsof...s/allinone.asp"
[Strings]: SAFESITE_VALUE="search.msn.com.br"
Missing lines (compared with English-language version):
[Strings]: 2 lines
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
Bonjour Service, Bonjour Service, ""C:\Arquivos de programas\Extensis\Extensis Suitcase 11\Bonjour\mDNSResponder.exe"" ["Apple Computer, Inc."]
FLEXnet Licensing Service, FLEXnet Licensing Service, ""C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe"" ["Macrovision Europe Ltd."]
hpqcxs08, hpqcxs08, "C:\WINDOWS\system32\svchost.exe -k hpdevmgmt" {"C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpqcxs08.dll" ["Hewlett-Packard Co."]}
Net Driver HPZ12, Net Driver HPZ12, "C:\WINDOWS\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\HPZinw12.dll" ["Hewlett-Packard"]}
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\HPZipm12.dll" ["Hewlett-Packard"]}
Serviço de Descoberta de dispositivos CUE HP, hpqddsvc, "C:\WINDOWS\system32\svchost.exe -k hpdevmgmt" {"C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpqddsvc.dll" ["Hewlett-Packard Co."]}
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
CutePDF Writer Monitor\Driver = "cpwmon2k.dll" [null data]
PCL Language Monitor\Driver = "hpz3l5ha.dll" ["Hewlett-Packard Company"]
---------- (launch time: 2008-12-15 14:58:14)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 49 seconds, including 18 seconds for message boxes)
Hole.zip, Zero .txt, Blank.doc, Empty.jpg, Unoccupied.reg, Etc...
Started By pan_phm, 04/12/2008, 16:13
-
This topic is locked
21 replies to this topic
#17
Leone Fernandes
-
- Usuários
-
- 585 posts
(y)
- Sexo:Masculino
- Localidade:Belo Horizonte - MG
Posted 17/12/2008, 17:35
Baixe o Killbox em: Killbox
Não execute ainda.
Reinicie o PC em Modo de Segurança (Pressione intermitentemente F8 durante a inicialização, no menu que aparecer escolha Modo Seguro).
Execute o KillBox:
1) Selecione Delete on reboot;
2) Full path of file to delete;
3) Coloque:
C:\WINDOWS\system32\M5VBVM60.EXE
C:\WINDOWS\system32\rund1132.exe
- Aperte X. Responda "sim" à primeira pergunta e "não" à segunda.
Baixe o ComboFix em: ComboFix
1) Desabilite o seu anti-vírus temporariamente;
2) Dê um duplo-clique no combofix.exe e tecle "1" para prosseguir. O processo vai durar, em média, 10 minutos;
3) O ComboFix reiniciará o PC automaticamente, a fim de que o processo de remoção seja finalizado (somente se houver infecção);
4) Quando a varredura acabar, será gerado um log, que estará em C:\ComboFix.txt;
5) Reabilite o seu anti-vírus;
6) Preciso que você cole o conteúdo do ComboFix.txt em sua próxima resposta, juntamente com um novo log do HijackThis.
Não execute ainda.
Reinicie o PC em Modo de Segurança (Pressione intermitentemente F8 durante a inicialização, no menu que aparecer escolha Modo Seguro).
Execute o KillBox:
1) Selecione Delete on reboot;
2) Full path of file to delete;
3) Coloque:
C:\WINDOWS\system32\M5VBVM60.EXE
C:\WINDOWS\system32\rund1132.exe
- Aperte X. Responda "sim" à primeira pergunta e "não" à segunda.
Baixe o ComboFix em: ComboFix
1) Desabilite o seu anti-vírus temporariamente;
2) Dê um duplo-clique no combofix.exe e tecle "1" para prosseguir. O processo vai durar, em média, 10 minutos;
3) O ComboFix reiniciará o PC automaticamente, a fim de que o processo de remoção seja finalizado (somente se houver infecção);
4) Quando a varredura acabar, será gerado um log, que estará em C:\ComboFix.txt;
5) Reabilite o seu anti-vírus;
6) Preciso que você cole o conteúdo do ComboFix.txt em sua próxima resposta, juntamente com um novo log do HijackThis.
#18
pan_phm
-
- Usuários
-
- 9 posts
Novato no fórum
- Sexo:Não informado
Posted 18/12/2008, 15:56
Olá!
Deletei os dois arquivos, porém o combofix fecha antes de iniciar e "some" do desktop. Segue os logs do killbox e do silentrunners
"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\CTFMON.EXE" [MS]
"Secure64" = "C:\WINDOWS\system32\dllcache\Regedit32.com StartUp" [null data]
"Secure32" = "C:\WINDOWS\system32\dllcache\Shell32.com StartUp" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"AlcWzrd" = "ALCWZRD.EXE" ["RealTek Semicoductor Corp."]
"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"Acrobat Assistant 8.0" = ""C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"" ["Adobe Systems Inc."]
"Blank AntiViri" = "C:\AUT0EXEC.BAT StartUp" [null data]
"High Definition Audio Property Page Shortcut" = "HDAShCut.exe" ["Windows ® Server 2003 DDK provider"]
"services" = ""C:\WINDOWS\system32\1D1F0239\Services.exe"" [null data]
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]
>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\(Default) = "Personalização do navegador"
\StubPath = "RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP" [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\(Default) = "Themes Setup"
\StubPath = "C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall C:\WINDOWS\system32\themeui.dll" [MS]
{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "Microsoft Outlook Express 6"
\StubPath = ""C:\Arquivos de programas\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install" [MS]
{5945c046-1e7d-11d1-bc44-00c04fd912be}\(Default) = "Windows Messenger 4.7"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser" [MS]
{6BF52A52-394A-11d3-B153-00C04F79FAA6}\(Default) = "Microsoft Windows Media Player"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub" [MS]
{7790769C-0471-11d2-AF11-00C04FA35D02}\(Default) = "Catálogo de endereços 6"
\StubPath = ""C:\Arquivos de programas\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install" [MS]
{89820200-ECBD-11cf-8B85-00AA005B4340}\(Default) = "Atualização da área de trabalho do Windows"
\StubPath = "regsvr32.exe /s /n /i:U shell32.dll" [MS]
{89820200-ECBD-11cf-8B85-00AA005B4383}\(Default) = "Internet Explorer 6"
\StubPath = "C:\WINDOWS\system32\ie4uinit.exe" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{0347C33E-8762-4905-BF09-768834316C61}\(Default) = "HP Print Enhancer"
-> {HKLM...CLSID} = "HP Print Enhancer"
\InProcServer32\(Default) = "C:\Arquivos de programas\Hewlett-Packard\Smart Web Printing\hpswp_printenhancer.dll" ["Hewlett-Packard Co."]
{053F9267-DC04-4294-A72C-58F732D338C0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "HP Print Clips"
\InProcServer32\(Default) = "C:\Arquivos de programas\Hewlett-Packard\Smart Web Printing\hpswp_framework.dll" ["Hewlett-Packard Co."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper"
\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensão do 'Painel de controle' para panorâmica de vídeo"
-> {HKLM...CLSID} = "Extensão do 'Painel de controle' para panorâmica de vídeo"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensão de ícone do HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Pasta de Uploads Share-to-Web"
-> {HKLM...CLSID} = "Pasta de Uploads Share-to-Web"
\InProcServer32\(Default) = "C:\Arquivos de programas\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" ["Alexander Roshal"]
HKLM\SOFTWA RE\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "Userinit" = "C:\WINDOWS\system32\userinit.exe, "C:\WINDOWS\system32\M5VBVM60.EXE StartUp"" [MS], [file not found], [file not found]
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\
<<!>> "AlternateShell" = "C:\AUT0EXEC.BAT StartUp" [null data]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" ["Alexander Roshal"]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" ["Alexander Roshal"]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" ["Alexander Roshal"]
HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Default executables:
--------------------
HKLM\SOFTWARE\Classes\.com\(Default) = "comfile"
<<!>> HKLM\SOFTWARE\Classes\comfile\shell\open\command\(Default) = "C:\WINDOWS\system32\rund1132.exe %1" [null data]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "(Nenhum)"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "%SystemRoot%\System32\logon.scr" [MS]
Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
BridgeCS3ImportMediaOnArrival\
"Provider" = "Adobe Bridge CS3"
"InvokeProgID" = "Adobe.adobebridge"
"InvokeVerb" = "launch"
HKLM\SOFTWARE\Classes\Adobe.adobebridge\shell\launch\command\(Default) = "C:\Arquivos de programas\Adobe\Adobe Bridge CS3\bridgeproxy.exe -v %1" ["Adobe Systems, Inc."]
HPAutoplayPSE\
"Provider" = "HP Photosmart Essential 2.01"
"InvokeProgID" = "HpqPSApl.Autoplay"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\HpqPSApl.Autoplay\shell\Play\DropTarget\CLSID = "{A6873065-D632-4615-A3A9-C5F05EE109C1}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = "C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\HpqPsApl.exe" ["Hewlett-Packard"]
NeroAutoPlayEmptyCD\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay"
"InvokeVerb" = "EmptyCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay\shell\EmptyCD\command\(Default) = ""C:\Arquivos de programas\Ahead\nero startsmart\nerostartsmart.exe" /Drive:%L" ["Ahead Software AG"]
NeroAutoPlayVideoDVD\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay"
"InvokeVerb" = "VideoDVD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay\shell\VideoDVD\command\(Default) = ""C:\Arquivos de programas\Ahead\nero startsmart\nerostartsmart.exe" /Drive:%L" ["Ahead Software AG"]
Startup items in "Administrador" & "All Users" startup folders:
---------------------------------------------------------------
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar
"Suitcase 11.0" -> shortcut to: "C:\WINDOWS\Installer\{7451C9B5-3E10-4E59-AD37-AB7438D84288}\_01D57C9244869186542E24.exe -Startup" [null data]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Arquivos de programas\Extensis\Extensis Suitcase 11\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Arquivos de programas\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: SEARCH_PAGE_URL="&http://home.microsof...s/allinone.asp"
[Strings]: SAFESITE_VALUE="search.msn.com.br"
Missing lines (compared with English-language version):
[Strings]: 2 lines
All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------
Adaptador de desempenho WMI, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
Avira AntiVir Personal - Free Antivirus Guard, AntiVirService, ""C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"]
Avira AntiVir Personal - Free Antivirus Scheduler, AntiVirScheduler, ""C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"]
Bonjour Service, Bonjour Service, ""C:\Arquivos de programas\Extensis\Extensis Suitcase 11\Bonjour\mDNSResponder.exe"" ["Apple Computer, Inc."]
FLEXnet Licensing Service, FLEXnet Licensing Service, ""C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe"" ["Macrovision Europe Ltd."]
hpqcxs08, hpqcxs08, "C:\WINDOWS\system32\svchost.exe -k hpdevmgmt" {"C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpqcxs08.dll" ["Hewlett-Packard Co."]}
Net Driver HPZ12, Net Driver HPZ12, "C:\WINDOWS\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\HPZinw12.dll" ["Hewlett-Packard"]}
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\HPZipm12.dll" ["Hewlett-Packard"]}
Serviço administrativo do gerenciador de disco lógico, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
Serviço de Descoberta de dispositivos CUE HP, hpqddsvc, "C:\WINDOWS\system32\svchost.exe -k hpdevmgmt" {"C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpqddsvc.dll" ["Hewlett-Packard Co."]}
Serviço de Número de Série de Mídia Portátil, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\mspmsnsv.dll" [MS]}
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
CutePDF Writer Monitor\Driver = "cpwmon2k.dll" [null data]
PCL Language Monitor\Driver = "hpz3l5ha.dll" ["Hewlett-Packard Company"]
---------- (launch time: 2008-12-18 16:52:21)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 52 seconds, including 18 seconds for message boxes)
Pocket Killbox version 2.0.0.648
Running on Windows XP as DIJr(Administrator)
was started @ segunda-feira, dezembro 08, 2008, 2:53 PM
Killbox Closed(Exit) @ 2:54:16 PM
__________________________________________________
Pocket Killbox version 2.0.0.648
Running on Windows XP as DIJr(Administrator)
was started @ segunda-feira, dezembro 08, 2008, 2:56 PM
# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\dllChache\Empty.jpg
# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\dllChache\Hole.zip
# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\dllChache\Unoccupied.reg
# 4 [Delete on Reboot]
Path = C:\Arquivos de programas\Net Studio\USB_FW.exe
# 5 [Delete on Reboot]
Path = C:\WINDOWS\system32\dllChache\Blank.doc
# 6 [Delete on Reboot]
Path = C:\WINDOWS\system32\dllChache\Zero.txt
I Rebooted @ 3:18:23 PM
Killbox Closed(Exit) @ 3:18:24 PM
__________________________________________________
Pocket Killbox version 2.0.0.648
Running on Windows XP as DIJr(Administrator)
was started @ segunda-feira, dezembro 08, 2008, 3:23 PM
Killbox Closed(Exit) @ 3:23:44 PM
__________________________________________________
Pocket Killbox version 2.0.0.648
Running on Windows XP as DIJr(Administrator)
was started @ segunda-feira, dezembro 08, 2008, 3:51 PM
Killbox Closed(Exit) @ 3:52:01 PM
__________________________________________________
Pocket Killbox version 2.0.0.648
Running on Windows XP as DIJr(Administrator)
was started @ quinta-feira, dezembro 18, 2008, 4:13 PM
# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\M5VBVM60.EXE
I Rebooted @ 4:15:41 PM
Killbox Closed(Exit) @ 4:15:42 PM
__________________________________________________
Pocket Killbox version 2.0.0.648
Running on Windows XP as DIJr(Administrator)
was started @ quinta-feira, dezembro 18, 2008, 4:17 PM
# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\rund1132.exe
I Rebooted @ 4:18:00 PM
Killbox Closed(Exit) @ 4:18:01 PM
__________________________________________________
Pocket Killbox version 2.0.0.648
Running on Windows XP as DIJr(Administrator)
was started @ quinta-feira, dezembro 18, 2008, 4:25 PM
# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\M5VBVM60.EXE C:\WINDOWS\system32\rund1132.exe
PendingFileRenameOperations Registry Data has been Removed by External Process! @ 4:29:15 PM
# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\rund1132.exe
# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\M5VBVM60.EXE C:\WINDOWS\system32\rund1132.exe
# 4 [Delete on Reboot]
Path = C:\WINDOWS\system32\rund1132.exe
Killbox Closed(Exit) @ 4:35:11 PM
__________________________________________________
Pocket Killbox version 2.0.0.648
Running on Windows XP as DIJr(Administrator)
was started @ quinta-feira, dezembro 18, 2008, 4:35 PM
# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\rund1132.exe
# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\M5VBVM60.EXE
I Rebooted @ 4:36:29 PM
Killbox Closed(Exit) @ 4:36:29 PM
__________________________________________________
Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrador(Administrator)
was started @ quinta-feira, dezembro 18, 2008, 4:43 PM
# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\M5VBVM60.EXE
# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\rund1132.exe
I Rebooted @ 4:45:11 PM
Killbox Closed(Exit) @ 4:45:11 PM
__________________________________________________
Deletei os dois arquivos, porém o combofix fecha antes de iniciar e "some" do desktop. Segue os logs do killbox e do silentrunners
"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\CTFMON.EXE" [MS]
"Secure64" = "C:\WINDOWS\system32\dllcache\Regedit32.com StartUp" [null data]
"Secure32" = "C:\WINDOWS\system32\dllcache\Shell32.com StartUp" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"AlcWzrd" = "ALCWZRD.EXE" ["RealTek Semicoductor Corp."]
"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"Acrobat Assistant 8.0" = ""C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"" ["Adobe Systems Inc."]
"Blank AntiViri" = "C:\AUT0EXEC.BAT StartUp" [null data]
"High Definition Audio Property Page Shortcut" = "HDAShCut.exe" ["Windows ® Server 2003 DDK provider"]
"services" = ""C:\WINDOWS\system32\1D1F0239\Services.exe"" [null data]
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]
>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\(Default) = "Personalização do navegador"
\StubPath = "RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP" [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\(Default) = "Themes Setup"
\StubPath = "C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall C:\WINDOWS\system32\themeui.dll" [MS]
{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "Microsoft Outlook Express 6"
\StubPath = ""C:\Arquivos de programas\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install" [MS]
{5945c046-1e7d-11d1-bc44-00c04fd912be}\(Default) = "Windows Messenger 4.7"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser" [MS]
{6BF52A52-394A-11d3-B153-00C04F79FAA6}\(Default) = "Microsoft Windows Media Player"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub" [MS]
{7790769C-0471-11d2-AF11-00C04FA35D02}\(Default) = "Catálogo de endereços 6"
\StubPath = ""C:\Arquivos de programas\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install" [MS]
{89820200-ECBD-11cf-8B85-00AA005B4340}\(Default) = "Atualização da área de trabalho do Windows"
\StubPath = "regsvr32.exe /s /n /i:U shell32.dll" [MS]
{89820200-ECBD-11cf-8B85-00AA005B4383}\(Default) = "Internet Explorer 6"
\StubPath = "C:\WINDOWS\system32\ie4uinit.exe" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{0347C33E-8762-4905-BF09-768834316C61}\(Default) = "HP Print Enhancer"
-> {HKLM...CLSID} = "HP Print Enhancer"
\InProcServer32\(Default) = "C:\Arquivos de programas\Hewlett-Packard\Smart Web Printing\hpswp_printenhancer.dll" ["Hewlett-Packard Co."]
{053F9267-DC04-4294-A72C-58F732D338C0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "HP Print Clips"
\InProcServer32\(Default) = "C:\Arquivos de programas\Hewlett-Packard\Smart Web Printing\hpswp_framework.dll" ["Hewlett-Packard Co."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper"
\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensão do 'Painel de controle' para panorâmica de vídeo"
-> {HKLM...CLSID} = "Extensão do 'Painel de controle' para panorâmica de vídeo"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensão de ícone do HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Pasta de Uploads Share-to-Web"
-> {HKLM...CLSID} = "Pasta de Uploads Share-to-Web"
\InProcServer32\(Default) = "C:\Arquivos de programas\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" ["Alexander Roshal"]
HKLM\SOFTWA RE\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "Userinit" = "C:\WINDOWS\system32\userinit.exe, "C:\WINDOWS\system32\M5VBVM60.EXE StartUp"" [MS], [file not found], [file not found]
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\
<<!>> "AlternateShell" = "C:\AUT0EXEC.BAT StartUp" [null data]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" ["Alexander Roshal"]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" ["Alexander Roshal"]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" ["Alexander Roshal"]
HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Default executables:
--------------------
HKLM\SOFTWARE\Classes\.com\(Default) = "comfile"
<<!>> HKLM\SOFTWARE\Classes\comfile\shell\open\command\(Default) = "C:\WINDOWS\system32\rund1132.exe %1" [null data]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "(Nenhum)"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "%SystemRoot%\System32\logon.scr" [MS]
Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
BridgeCS3ImportMediaOnArrival\
"Provider" = "Adobe Bridge CS3"
"InvokeProgID" = "Adobe.adobebridge"
"InvokeVerb" = "launch"
HKLM\SOFTWARE\Classes\Adobe.adobebridge\shell\launch\command\(Default) = "C:\Arquivos de programas\Adobe\Adobe Bridge CS3\bridgeproxy.exe -v %1" ["Adobe Systems, Inc."]
HPAutoplayPSE\
"Provider" = "HP Photosmart Essential 2.01"
"InvokeProgID" = "HpqPSApl.Autoplay"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\HpqPSApl.Autoplay\shell\Play\DropTarget\CLSID = "{A6873065-D632-4615-A3A9-C5F05EE109C1}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = "C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\HpqPsApl.exe" ["Hewlett-Packard"]
NeroAutoPlayEmptyCD\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay"
"InvokeVerb" = "EmptyCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay\shell\EmptyCD\command\(Default) = ""C:\Arquivos de programas\Ahead\nero startsmart\nerostartsmart.exe" /Drive:%L" ["Ahead Software AG"]
NeroAutoPlayVideoDVD\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay"
"InvokeVerb" = "VideoDVD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay\shell\VideoDVD\command\(Default) = ""C:\Arquivos de programas\Ahead\nero startsmart\nerostartsmart.exe" /Drive:%L" ["Ahead Software AG"]
Startup items in "Administrador" & "All Users" startup folders:
---------------------------------------------------------------
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar
"Suitcase 11.0" -> shortcut to: "C:\WINDOWS\Installer\{7451C9B5-3E10-4E59-AD37-AB7438D84288}\_01D57C9244869186542E24.exe -Startup" [null data]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Arquivos de programas\Extensis\Extensis Suitcase 11\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Arquivos de programas\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: SEARCH_PAGE_URL="&http://home.microsof...s/allinone.asp"
[Strings]: SAFESITE_VALUE="search.msn.com.br"
Missing lines (compared with English-language version):
[Strings]: 2 lines
All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------
Adaptador de desempenho WMI, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
Avira AntiVir Personal - Free Antivirus Guard, AntiVirService, ""C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"]
Avira AntiVir Personal - Free Antivirus Scheduler, AntiVirScheduler, ""C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"]
Bonjour Service, Bonjour Service, ""C:\Arquivos de programas\Extensis\Extensis Suitcase 11\Bonjour\mDNSResponder.exe"" ["Apple Computer, Inc."]
FLEXnet Licensing Service, FLEXnet Licensing Service, ""C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe"" ["Macrovision Europe Ltd."]
hpqcxs08, hpqcxs08, "C:\WINDOWS\system32\svchost.exe -k hpdevmgmt" {"C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpqcxs08.dll" ["Hewlett-Packard Co."]}
Net Driver HPZ12, Net Driver HPZ12, "C:\WINDOWS\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\HPZinw12.dll" ["Hewlett-Packard"]}
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\HPZipm12.dll" ["Hewlett-Packard"]}
Serviço administrativo do gerenciador de disco lógico, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
Serviço de Descoberta de dispositivos CUE HP, hpqddsvc, "C:\WINDOWS\system32\svchost.exe -k hpdevmgmt" {"C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpqddsvc.dll" ["Hewlett-Packard Co."]}
Serviço de Número de Série de Mídia Portátil, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\mspmsnsv.dll" [MS]}
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
CutePDF Writer Monitor\Driver = "cpwmon2k.dll" [null data]
PCL Language Monitor\Driver = "hpz3l5ha.dll" ["Hewlett-Packard Company"]
---------- (launch time: 2008-12-18 16:52:21)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 52 seconds, including 18 seconds for message boxes)
Pocket Killbox version 2.0.0.648
Running on Windows XP as DIJr(Administrator)
was started @ segunda-feira, dezembro 08, 2008, 2:53 PM
Killbox Closed(Exit) @ 2:54:16 PM
__________________________________________________
Pocket Killbox version 2.0.0.648
Running on Windows XP as DIJr(Administrator)
was started @ segunda-feira, dezembro 08, 2008, 2:56 PM
# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\dllChache\Empty.jpg
# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\dllChache\Hole.zip
# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\dllChache\Unoccupied.reg
# 4 [Delete on Reboot]
Path = C:\Arquivos de programas\Net Studio\USB_FW.exe
# 5 [Delete on Reboot]
Path = C:\WINDOWS\system32\dllChache\Blank.doc
# 6 [Delete on Reboot]
Path = C:\WINDOWS\system32\dllChache\Zero.txt
I Rebooted @ 3:18:23 PM
Killbox Closed(Exit) @ 3:18:24 PM
__________________________________________________
Pocket Killbox version 2.0.0.648
Running on Windows XP as DIJr(Administrator)
was started @ segunda-feira, dezembro 08, 2008, 3:23 PM
Killbox Closed(Exit) @ 3:23:44 PM
__________________________________________________
Pocket Killbox version 2.0.0.648
Running on Windows XP as DIJr(Administrator)
was started @ segunda-feira, dezembro 08, 2008, 3:51 PM
Killbox Closed(Exit) @ 3:52:01 PM
__________________________________________________
Pocket Killbox version 2.0.0.648
Running on Windows XP as DIJr(Administrator)
was started @ quinta-feira, dezembro 18, 2008, 4:13 PM
# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\M5VBVM60.EXE
I Rebooted @ 4:15:41 PM
Killbox Closed(Exit) @ 4:15:42 PM
__________________________________________________
Pocket Killbox version 2.0.0.648
Running on Windows XP as DIJr(Administrator)
was started @ quinta-feira, dezembro 18, 2008, 4:17 PM
# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\rund1132.exe
I Rebooted @ 4:18:00 PM
Killbox Closed(Exit) @ 4:18:01 PM
__________________________________________________
Pocket Killbox version 2.0.0.648
Running on Windows XP as DIJr(Administrator)
was started @ quinta-feira, dezembro 18, 2008, 4:25 PM
# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\M5VBVM60.EXE C:\WINDOWS\system32\rund1132.exe
PendingFileRenameOperations Registry Data has been Removed by External Process! @ 4:29:15 PM
# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\rund1132.exe
# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\M5VBVM60.EXE C:\WINDOWS\system32\rund1132.exe
# 4 [Delete on Reboot]
Path = C:\WINDOWS\system32\rund1132.exe
Killbox Closed(Exit) @ 4:35:11 PM
__________________________________________________
Pocket Killbox version 2.0.0.648
Running on Windows XP as DIJr(Administrator)
was started @ quinta-feira, dezembro 18, 2008, 4:35 PM
# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\rund1132.exe
# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\M5VBVM60.EXE
I Rebooted @ 4:36:29 PM
Killbox Closed(Exit) @ 4:36:29 PM
__________________________________________________
Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrador(Administrator)
was started @ quinta-feira, dezembro 18, 2008, 4:43 PM
# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\M5VBVM60.EXE
# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\rund1132.exe
I Rebooted @ 4:45:11 PM
Killbox Closed(Exit) @ 4:45:11 PM
__________________________________________________
#19
Leone Fernandes
-
- Usuários
-
- 585 posts
(y)
- Sexo:Masculino
- Localidade:Belo Horizonte - MG
Posted 18/12/2008, 19:41
O Vírus que infectou você é o W32/Brontok-CJ.
Baixe o Win32.Brontok.A@mm Removal Tool em:
http://superdownload...m-removal-tool/
Abra-o ele fará o scan e irá remover o vírus automaticamente.
Gere um novo log do hijackthis e cole na sua resposta.
Baixe o Win32.Brontok.A@mm Removal Tool em:
http://superdownload...m-removal-tool/
Abra-o ele fará o scan e irá remover o vírus automaticamente.
Gere um novo log do hijackthis e cole na sua resposta.
Edição feita por: Northon, 18/12/2008, 22:27.
#20
pan_phm
-
- Usuários
-
- 9 posts
Novato no fórum
- Sexo:Não informado
Posted 05/01/2009, 15:05
Baixei o programa mas ele insiste em fechar. Toda vez que eu executo o programa ele fecha e o icone acaba desaparecendo. Não consigo executar mais nenhum programa que tenha alguma relação a remoção de vírus. O HijackThis também não funciona. Já tentei em modo de segurança, mas o resultado é o mesmo.
#21
Leone Fernandes
-
- Usuários
-
- 585 posts
(y)
- Sexo:Masculino
- Localidade:Belo Horizonte - MG
Posted 05/01/2009, 22:45
Formate o computador, é o único jeito.
#22
Leone Fernandes
-
- Usuários
-
- 585 posts
(y)
- Sexo:Masculino
- Localidade:Belo Horizonte - MG
Posted 23/01/2009, 14:52
Problema Resolvido!
Caso o autor necessite que seu tópico seja reaberto, entrar em contato com a equipe de moderação.
Caso o autor necessite que seu tópico seja reaberto, entrar em contato com a equipe de moderação.
1 user(s) are reading this topic
0 membro(s), 1 visitante(s) e 0 membros anônimo(s)
