[Resolvido!] Pen drive com worm

Boa Noite! Annluciap

<@> Baixe: < /applications/core/interface/imageproxy/imageproxy.php?img=http://billy-oneal.com/Canned%2520Speeches/speechimages/combofix/desktopicon.png&key=c972c7524cf2a0d4771101cc561140ae5696a3aad55bcf64c111bf1861d92e85" alt="desktopicon.png" /> > ( ...by sUBs )

<@> Salve-o no desktop!

<@> Desabilite as proteções residente de: antivírus,antispywares e firewall. ( Menos o do Windows! )

<@> Feche todas as janelas e execute a ferramenta!

<@> Na solicitação: "Negação de garantia de software" --> Clique em Sim!

<@> Não possuindo o "Console de Recuperação",aceite optar pela instalação do mesmo!

<!> Caso aconteça a notificação de: Aplicativo Win32 inválido,delete a ferramenta e faça,novamente,o download.<!> Salve-a no desktop,renomeada como: Kombo.exe

<!> Ps: Nomeie durante o salvamento,e não após salvá-la!

<!> Ps: Surgindo alguma mensagem de erro,rode o ComboFix.exe em Modo de Segurança. <-- Link!

<!> Ps: Para completar as remoções,talvez haja necessidade da ferramenta reiniciar o computador. <-- Aguarde!

<!> Ps: Evite executar,voluntariamente,esta ferramenta!Siga,àcima,todas as recomendações propostas.

<@> Abrir-se-á a janela Auto Scan. --> Aguarde!

<@> Àfim de completar as remoções,o ComboFix poderá reiniciar o computador.

<@> Se houver necessidade,digite a opção para continuar! --> ( 1 ) --> Aperte Enter! --> Aguarde a conclusão!

<@> Durante o scan,evite manusear o mouse ou teclado! <-- Importante!

<@> Para parar ou sair do ComboFix,tecle "N" ou "2" --> Aperte Enter!

<><><><><><><><><><>

<@> Terminando,poste os relatórios: C:\ComboFix.txt + HijackThis,atualizado.

Abraços!

Oi, seguem os logs.

Obrigada.

******************

ComboFix 09-02-17.02 - aperte enter 2009-02-18 14:15:54.6 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1046.18.2046.1549 [GMT -3:00]

Executando de: c:\documents and settings\aperte enter\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1335 [VPS 090217-0] On-access scanning disabled (Updated)

* Criado um novo ponto de restauro

.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-01-18 to 2009-02-18 ))))))))))))))))))))))))))))

.

2009-02-18 14:15 . 2009-02-18 14:17	<DIR>	d--------	C:\ComboFix

2009-02-18 14:15 . 2009-02-18 14:17	<DIR>	d--------	C:\ComboFix

2009-02-18 09:51 . 2009-02-18 09:51	<DIR>	d--------	c:\windows\LastGood

2009-02-17 10:36 . 2009-02-17 10:36	<DIR>	d--hs----	C:\RECYCLER

2009-02-17 10:36 . 2009-02-17 10:36	<DIR>	d--hs----	C:\RECYCLER

2009-02-16 16:00 . 2009-02-18 14:15	<DIR>	d--------	C:\Qoobox

2009-02-16 16:00 . 2009-02-18 14:15	<DIR>	d--------	C:\Qoobox

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

d-sh--w 0 2009-02-17 13:36:45 \RECYCLER

d-sh--w 0 2009-02-17 13:36:45 \RECYCLER

d-sh--w 0 2009-02-13 15:42:50 \Config.Msi

d-sh--w 0 2009-02-13 15:42:50 \Config.Msi

d---a-w 0 2009-02-18 17:16:54 \WINDOWS

d---a-w 0 2009-02-18 17:16:54 \WINDOWS

d-----w 0 2009-02-18 17:17:03 \ComboFix

d-----w 0 2009-02-18 17:17:03 \ComboFix

d-----w 0 2009-02-18 17:15:46 \Qoobox

d-----w 0 2009-02-18 17:15:46 \Qoobox

d-----w 0 2009-02-18 15:00:57 \SWSHARE

d-----w 0 2009-02-18 15:00:57 \SWSHARE

d-----w 0 2009-02-17 14:07:51 \temp

d-----w 0 2009-02-17 14:07:51 \temp

d-----w 0 2009-01-22 16:35:15 \Program Files

d-----w 0 2009-01-22 16:35:15 \Program Files

d-----w 0 2008-12-23 13:23:44 \AL500

d-----w 0 2008-12-23 13:23:44 \AL500

2009-02-18 17:13 --------- d-----w c:\documents and settings\aperte enter\Dados de aplicativos\.purple

2009-02-16 15:26 5,427 ------w c:\windows\system32\EGATHDRV.SYS

2008-12-23 16:56 --------- d-----w c:\documents and settings\Aperte enter_2\Dados de aplicativos\.purple

2008-12-18 13:11 --------- d-----w c:\documents and settings\aperte enter\Dados de aplicativos\gtk-2.0

2008-12-15 17:51 579,072 ------w c:\windows\system32\dllcache\user32.dll

2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys

--sha-w 2,145,386,496 2009-02-18 12:49:46 \pagefile.sys

--sha-w 2,145,386,496 2009-02-18 12:49:46 \pagefile.sys

--sha-w 2,145,308,672 2009-02-18 12:49:47 \hiberfil.sys

--sha-w 2,145,308,672 2009-02-18 12:49:47 \hiberfil.sys

--sh--r 251,696 2008-07-11 18:07:33 \NTLDR

--sh--r 251,696 2008-07-11 18:07:33 \NTLDR

--sh--r 47,564 2004-08-04 12:00:00 \NTDETECT.COM

--sh--r 47,564 2004-08-04 12:00:00 \NTDETECT.COM

--sh--r 4,952 2004-08-04 12:00:00 \bootfont.bin

--sh--r 4,952 2004-08-04 12:00:00 \bootfont.bin

--sh--r 281 2008-12-09 17:28:46 \boot.ini

--sh--r 281 2008-12-09 17:28:46 \boot.ini

--sh--r 0 2006-02-16 08:27:17 \MSDOS.SYS

--sh--r 0 2006-02-16 08:27:17 \MSDOS.SYS

--sh--r 0 2006-02-16 08:27:17 \IO.SYS

--sh--r 0 2006-02-16 08:27:17 \IO.SYS

---h--w 268 2007-11-05 16:50:40 \sqmdata00.sqm

---h--w 268 2007-11-05 16:50:40 \sqmdata00.sqm

---h--w 244 2007-11-05 16:50:39 \sqmnoopt00.sqm

---h--w 244 2007-11-05 16:50:39 \sqmnoopt00.sqm

------w 3,894,694 2007-08-24 15:30:27 \install.log

------w 3,894,694 2007-08-24 15:30:27 \install.log

.

((((((((((((((((((((((((((((( SnapShot@2009-02-16_16.02.08,85 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-02-18 12:50:05 16,384 -----tw c:\windows\temp\Perflib_Perfdata_1d4.dat

• 2009-02-16 15:26:41 16,384 ----atw c:\windows\temp\Perflib_Perfdata_70c.dat

+ 2009-02-18 12:49:55 16,384 -----tw c:\windows\temp\Perflib_Perfdata_70c.dat

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

Nota entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\windows\Program Files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

"avast!"="c:\alwils~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

Aleph 500.14.2 Version Check.lnk - c:\al500\ALEPHCOM\BIN\VERSION.EXE [2008-12-23 761856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]

2006-06-18 14:06 49152 c:\arquivos de programas\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-10 114768]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-10 20560]

R2 PrivateDisk;PrivateDisk;c:\arquivos de programas\Lenovo\SafeGuard PrivateDisk\privatediskm.sys [2006-03-13 58368]

R2 smi2;smi2;c:\arquivos de programas\SMI2\smi2.sys [2006-07-14 3968]

.

Conteúdo da pasta 'Tarefas Agendadas'

2009-02-12 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\arquivos de programas\Apple Software Update\SoftwareUpdate.exe []

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.ufrgs.br/ufrgs/

uInternet Connection Wizard,ShellNext = hxxp://www.lenovo.com/br/pt

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: ufrgs.br\www11

TCP: {154EE3C1-6D0E-4F5F-9AD4-2F66BD914029} = 143.54.1.52,143.54.1.53

FF - ProfilePath - c:\documents and settings\aperte enter\Dados de aplicativos\Mozilla\Firefox\Profiles\l2uqh3h3.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.ufrgs.br

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-18 14:16:52

Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|é•6~*]

"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

• - - - - - - > 'winlogon.exe'(984)

c:\windows\system32\Ati2evxx.dll

c:\arquivos de programas\Lenovo\AwayTask\AwayNotify.dll

.

Tempo para conclusão: 2009-02-18 14:17:53

ComboFix-quarantined-files.txt 2009-02-18 17:17:51

ComboFix2.txt 2009-02-16 19:02:48

ComboFix3.txt 2008-12-11 12:19:00

Pré-execução: 29 pasta(s) 129.539.317.760 bytes disponíveis

Pós execução: 29 pasta(s) 129,525,215,232 bytes disponíveis

139 --- E O F --- 2009-02-18 17:06:16

*******************

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:19:53, on 18/2/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe

c:\Alwil Software\Avast4\aswUpdSv.exe

c:\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\IPSSVC.EXE

C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkService.exe

C:\WINDOWS\Program Files\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Network Associates\Common Framework\FrameworkService.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\arquivos de programas\lenovo\system update\suservice.exe

C:\Arquivos de programas\Arquivos comuns\Lenovo\tvt_reg_monitor_svc.exe

C:\Arquivos de programas\Lenovo\Rescue and Recovery\rrservice.exe

C:\Arquivos de programas\Arquivos comuns\Lenovo\Scheduler\tvtsched.exe

C:\Arquivos de programas\Lenovo\Rescue and Recovery\ADM\IUService.exe

C:\Arquivos de programas\Arquivos comuns\Lenovo\Logger\logmon.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\Program Files\Java\jre6\bin\jusched.exe

C:\ALWILS~1\Avast4\ashDisp.exe

C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe

C:\WINDOWS\explorer.exe

c:\Alwil Software\Avast4\ashMaiSv.exe

c:\Alwil Software\Avast4\ashWebSv.exe

C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkIcon.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ufrgs.br/ufrgs/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.com/br/pt

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\WINDOWS\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\WINDOWS\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\WINDOWS\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Arquivos de programas\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\WINDOWS\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [avast!] c:\ALWILS~1\Avast4\ashDisp.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Aleph 500.14.2 Version Check.lnk = C:\AL500\ALEPHCOM\BIN\VERSION.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Arquivos de programas\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Arquivos de programas\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: System Update - {DA320635-F48C-4613-8325-D75A933C549E} - C:\Arquivos de programas\Lenovo\System Update\sulauncher.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - \Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - \Messenger\msmsgs.exe (file missing)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/br/pt

O17 - HKLM\System\CCS\Services\Tcpip\..\{154EE3C1-6D0E-4F5F-9AD4-2F66BD914029}: NameServer = 143.54.1.52,143.54.1.53

O17 - HKLM\System\CS1\Services\Tcpip\..\{154EE3C1-6D0E-4F5F-9AD4-2F66BD914029}: NameServer = 143.54.1.52,143.54.1.53

O17 - HKLM\System\CS2\Services\Tcpip\..\{154EE3C1-6D0E-4F5F-9AD4-2F66BD914029}: NameServer = 143.54.1.52,143.54.1.53

O20 - Winlogon Notify: AwayNotify - C:\Arquivos de programas\Lenovo\AwayTask\AwayNotify.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - c:\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: avast! Antivirus - ALWIL Software - c:\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - c:\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - c:\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe

O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\WINDOWS\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Serviço McAfee Framework (McAfeeFramework) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe

O23 - Service: System Update (SUService) - - c:\arquivos de programas\lenovo\system update\suservice.exe

O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Lenovo\tvt_reg_monitor_svc.exe

O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Arquivos de programas\Lenovo\Client Security Solution\tvttcsd.exe

O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Arquivos de programas\Lenovo\Rescue and Recovery\rrservice.exe

O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Arquivos de programas\Arquivos comuns\Lenovo\Scheduler\tvtsched.exe

O23 - Service: tvtnetwk - Unknown owner - C:\Arquivos de programas\Lenovo\Rescue and Recovery\ADM\IUService.exe

--

End of file - 7141 bytes

***********************

Boa Tarde! Annluciap

Insira sua(s) unidade(s) removíveis,caso às possua,na entrada USB. ( pendrive,mp3,mp4,iPods,etc... )

<@> Selecione e copie,todo o conteúdo que está na área do QUOTE,para o Bloco de Notas.

<@> Salve-o,no Desktop,com o nome: CFScript.txt

>
Registry::[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]

REGNULL::

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|é•6~*]

<@> Arraste,o CFScript.txt para o ícone/interior do ComboFix.

<@> Veja a demonstração!

/applications/core/interface/imageproxy/imageproxy.php?img=http://farm4.static.flickr.com/3028/2872959479_997d4500c4_o.gif&key=5df91a69abacb5902724f70d14994f3bf5ba8d87bf300cea4c6fd8c885940cf0" alt="2872959479_997d4500c4_o.gif" />

<@> Atenda à solicitação,que deverá surgir,para rodar o ComboFix.

<@> Ps: Faça o arraste,até surgir essa solicitação! ( janela )

<@> Terminando,poste os relatórios: C:\ComboFix.txt + HijackThis,atualizado.

Abraços!

Oi, seguem os novos logs. Obrigada.

******************

ComboFix 09-02-17.02 - aperte enter 2009-02-19 15:59:27.7 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1046.18.2046.1579 [GMT -3:00]

Executando de: c:\documents and settings\aperte enter\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\aperte enter\Desktop\CFScript.txt

AV: avast! antivirus 4.8.1335 [VPS 090218-0] On-access scanning disabled (Updated)

* Criado um novo ponto de restauro

.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-01-19 to 2009-02-19 ))))))))))))))))))))))))))))

.

2009-02-19 15:58 . 2009-02-19 16:00	<DIR>	d--------	C:\ComboFix

2009-02-19 15:58 . 2009-02-19 16:00	<DIR>	d--------	C:\ComboFix

2009-02-19 14:40 . 2009-02-19 14:40	<DIR>	d--hs----	C:\RECYCLER

2009-02-19 14:40 . 2009-02-19 14:40	<DIR>	d--hs----	C:\RECYCLER

2009-02-19 09:46 . 2009-02-19 09:46	<DIR>	d--------	c:\windows\LastGood

2009-02-19 09:45 . 2009-02-19 09:45	<DIR>	d--------	C:\493a4eed62c4122cf127

2009-02-19 09:45 . 2009-02-19 09:45	<DIR>	d--------	C:\493a4eed62c4122cf127

2009-02-19 09:45 . 2009-02-19 09:45	<DIR>	d--------	C:\493a4eed62c4122cf127

2009-02-16 16:00 . 2009-02-19 15:59	<DIR>	d--------	C:\Qoobox

2009-02-16 16:00 . 2009-02-19 15:59	<DIR>	d--------	C:\Qoobox

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

d-sh--w 0 2009-02-19 17:40:47 \RECYCLER

d-sh--w 0 2009-02-19 17:40:47 \RECYCLER

d-sh--w 0 2009-02-13 15:42:50 \Config.Msi

d-sh--w 0 2009-02-13 15:42:50 \Config.Msi

d---a-w 0 2009-02-19 19:00:51 \WINDOWS

d---a-w 0 2009-02-19 19:00:51 \WINDOWS

2009-02-19 18:54 --------- d-----w c:\documents and settings\aperte enter\Dados de aplicativos\.purple

2009-02-16 15:26 5,427 ------w c:\windows\system32\EGATHDRV.SYS

2008-12-23 16:56 --------- d-----w c:\documents and settings\Aperte enter_2\Dados de aplicativos\.purple

2008-12-15 17:51 579,072 ------w c:\windows\system32\dllcache\user32.dll

2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys

--sha-w 2,145,386,496 2009-02-19 12:38:52 \pagefile.sys

--sha-w 2,145,386,496 2009-02-19 12:38:52 \pagefile.sys

--sha-w 2,145,308,672 2009-02-19 12:38:54 \hiberfil.sys

--sha-w 2,145,308,672 2009-02-19 12:38:54 \hiberfil.sys

--sh--r 251,696 2008-07-11 18:07:33 \NTLDR

--sh--r 251,696 2008-07-11 18:07:33 \NTLDR

--sh--r 47,564 2004-08-04 12:00:00 \NTDETECT.COM

--sh--r 47,564 2004-08-04 12:00:00 \NTDETECT.COM

--sh--r 4,952 2004-08-04 12:00:00 \bootfont.bin

--sh--r 4,952 2004-08-04 12:00:00 \bootfont.bin

--sh--r 281 2008-12-09 17:28:46 \boot.ini

--sh--r 281 2008-12-09 17:28:46 \boot.ini

--sh--r 0 2006-02-16 08:27:17 \MSDOS.SYS

--sh--r 0 2006-02-16 08:27:17 \MSDOS.SYS

--sh--r 0 2006-02-16 08:27:17 \IO.SYS

--sh--r 0 2006-02-16 08:27:17 \IO.SYS

---h--w 268 2007-11-05 16:50:40 \sqmdata00.sqm

---h--w 268 2007-11-05 16:50:40 \sqmdata00.sqm

---h--w 244 2007-11-05 16:50:39 \sqmnoopt00.sqm

---h--w 244 2007-11-05 16:50:39 \sqmnoopt00.sqm

------w 3,894,694 2007-08-24 15:30:27 \install.log

------w 3,894,694 2007-08-24 15:30:27 \install.log

.

((((((((((((((((((((((((((((( SnapShot@2009-02-16_16.02.08,85 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-02-19 12:39:08 16,384 ----atw c:\windows\temp\Perflib_Perfdata_1bc.dat

+ 2009-02-19 12:39:13 16,384 ----atw c:\windows\temp\Perflib_Perfdata_1dc.dat

+ 2009-02-19 12:39:02 16,384 ----atw c:\windows\temp\Perflib_Perfdata_718.dat

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

Nota entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\windows\Program Files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

"avast!"="c:\alwils~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

Aleph 500.14.2 Version Check.lnk - c:\al500\ALEPHCOM\BIN\VERSION.EXE [2008-12-23 761856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]

2006-06-18 14:06 49152 c:\arquivos de programas\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-10 114768]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-10 20560]

R2 PrivateDisk;PrivateDisk;c:\arquivos de programas\Lenovo\SafeGuard PrivateDisk\privatediskm.sys [2006-03-13 58368]

R2 smi2;smi2;c:\arquivos de programas\SMI2\smi2.sys [2006-07-14 3968]

.

Conteúdo da pasta 'Tarefas Agendadas'

2009-02-19 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\arquivos de programas\Apple Software Update\SoftwareUpdate.exe []

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.ufrgs.br/ufrgs/

uInternet Connection Wizard,ShellNext = hxxp://www.lenovo.com/br/pt

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: ufrgs.br\www11

TCP: {154EE3C1-6D0E-4F5F-9AD4-2F66BD914029} = 143.54.1.52,143.54.1.53

FF - ProfilePath - c:\documents and settings\aperte enter\Dados de aplicativos\Mozilla\Firefox\Profiles\l2uqh3h3.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.ufrgs.br

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-19 16:00:49

Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|é•6~*]

"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

• - - - - - - > 'winlogon.exe'(984)

c:\windows\system32\Ati2evxx.dll

c:\arquivos de programas\Lenovo\AwayTask\AwayNotify.dll

.

Tempo para conclusão: 2009-02-19 16:01:53

ComboFix-quarantined-files.txt 2009-02-19 19:01:50

ComboFix2.txt 2009-02-18 17:17:54

ComboFix3.txt 2009-02-16 19:02:48

ComboFix4.txt 2008-12-11 12:19:00

Pré-execução: 30 pasta(s) 129.176.399.872 bytes disponíveis

Pós execução: 30 pasta(s) 129,162,158,080 bytes disponíveis

131 --- E O F --- 2009-02-19 12:46:02

******************

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:03:59, on 19/2/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe

c:\Alwil Software\Avast4\aswUpdSv.exe

c:\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\IPSSVC.EXE

C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkService.exe

C:\WINDOWS\Program Files\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Network Associates\Common Framework\FrameworkService.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\arquivos de programas\lenovo\system update\suservice.exe

C:\Arquivos de programas\Arquivos comuns\Lenovo\tvt_reg_monitor_svc.exe

C:\Arquivos de programas\Lenovo\Rescue and Recovery\rrservice.exe

C:\Arquivos de programas\Arquivos comuns\Lenovo\Scheduler\tvtsched.exe

C:\Arquivos de programas\Lenovo\Rescue and Recovery\ADM\IUService.exe

C:\Arquivos de programas\Arquivos comuns\Lenovo\Logger\logmon.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Program Files\Java\jre6\bin\jusched.exe

C:\ALWILS~1\Avast4\ashDisp.exe

C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkIcon.exe

C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe

C:\WINDOWS\explorer.exe

c:\Alwil Software\Avast4\ashMaiSv.exe

c:\Alwil Software\Avast4\ashWebSv.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ufrgs.br/ufrgs/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.com/br/pt

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\WINDOWS\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\WINDOWS\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\WINDOWS\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Arquivos de programas\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\WINDOWS\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [avast!] c:\ALWILS~1\Avast4\ashDisp.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Aleph 500.14.2 Version Check.lnk = C:\AL500\ALEPHCOM\BIN\VERSION.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Arquivos de programas\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Arquivos de programas\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: System Update - {DA320635-F48C-4613-8325-D75A933C549E} - C:\Arquivos de programas\Lenovo\System Update\sulauncher.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - \Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - \Messenger\msmsgs.exe (file missing)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/br/pt

O17 - HKLM\System\CCS\Services\Tcpip\..\{154EE3C1-6D0E-4F5F-9AD4-2F66BD914029}: NameServer = 143.54.1.52,143.54.1.53

O17 - HKLM\System\CS1\Services\Tcpip\..\{154EE3C1-6D0E-4F5F-9AD4-2F66BD914029}: NameServer = 143.54.1.52,143.54.1.53

O17 - HKLM\System\CS2\Services\Tcpip\..\{154EE3C1-6D0E-4F5F-9AD4-2F66BD914029}: NameServer = 143.54.1.52,143.54.1.53

O20 - Winlogon Notify: AwayNotify - C:\Arquivos de programas\Lenovo\AwayTask\AwayNotify.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - c:\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: avast! Antivirus - ALWIL Software - c:\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - c:\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - c:\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe

O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\WINDOWS\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Serviço McAfee Framework (McAfeeFramework) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe

O23 - Service: System Update (SUService) - - c:\arquivos de programas\lenovo\system update\suservice.exe

O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Lenovo\tvt_reg_monitor_svc.exe

O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Arquivos de programas\Lenovo\Client Security Solution\tvttcsd.exe

O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Arquivos de programas\Lenovo\Rescue and Recovery\rrservice.exe

O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Arquivos de programas\Arquivos comuns\Lenovo\Scheduler\tvtsched.exe

O23 - Service: tvtnetwk - Unknown owner - C:\Arquivos de programas\Lenovo\Rescue and Recovery\ADM\IUService.exe

--

End of file - 7141 bytes

Boa Tarde! Annluciap

<@> Vá em Iniciar --> Executar --> Digite ou cole: combofix.exe /u --> Clique OK.

<@> Abrir-se-á,a seguinte janela: ( Abrir arquivo - Aviso de Segurança )

<@> Clique em Executar --> Aguarde!

<@> Surgirá,finalmente,a mensagem: "ComboFix está desinstalado" --> Clique OK.

<@> Caso encontre,apague: C:\ComboFix <-- A pasta! + C:\ComboFix.txt <-- Relatório!

<><><><><><><><><>

<!> Estabeleça uma vacina,para suas unidades removíveis,com o Flash Disinfector.

<><><><><><><><><>

<@> Baixe: < Flash Disinfector >

<@> Salve-o,diretamente,no Disco Local-C.

<@> Conecte,na entrada USB,suas unidades removíveis!

<@> Dê um duplo clique em: Flash_Disinfector.exe

<@> Espere a conclusão!

<><><><><><><><><>

<!> O log está limpo! :thumbsup:

Abraços!

Olá, desculpa pela demora da mensagem.

Obrigada pela ajuda.

PROBLEMA RESOLVIDO!

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.