[Arquivado]Aos participantes iMasters:

[Educta2008 0]

Bom, pra variar mais um caso de pc infectado:

 

Reboots repentinos...

Jogos que não abrem, permanecendo só na tela de inicio...

Quando tenta-se usar o spybot, o pc reinicia as vezes...

o avast fica comprometido qdo tenta-se fzr um scan....

diversas mensagens, com opção de depurar ou fechar....

MSN, insiste em fechar após mensagem de erro...

Iexplorer fecha apos mensagem de depuração....

Word não executa corretamente...

 

Este forum me socorreu c o mesmo problema meses atras, mas ele voltou. Sera que apenas ficou latente durante este tempo?

O que posso fazer? Gostaria de postar um log do Hijack: Ps. Ontem passei o log para examinar, e me disseram estar ok, mas os probs persistem.

 

Logfile of HijackThis v1.99.1

Scan saved at 11:53, on 2007-10-20

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Sygate\SPF\smc.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\SpywareGuard\sgmain.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

C:\Arquivos de programas\SpywareGuard\sgbhp.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\setup\avast.setup

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Administrador\Desktop\segurança do pc\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Arquivos de programas\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [smcService] C:\ARQUIV~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O4 - Startup: SpywareGuard.lnk = C:\Arquivos de programas\SpywareGuard\sgmain.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Arquivos de programas\Sygate\SPF\smc.exe

[DigRam 144]

Boa Noite Educta2008!

 

>@< Faça o download do ComboFix.

>@< Baixe-o para o Desktop!

>@< Feche todas as janelas e execute a ferramenta!

>@< Para quem possui o Avast,surgirá um alerta de malware ( Win32 D adobra-EY[Trj] ),que deverá ser ignorado.

>@< Abrirá a janela Auto Scan. Aguarde!

>@< Digite a opção para continuar < Enter >

>@< Aguarde a conclusão!

>@< Poste o relatório: C:\ComboFix.txt,na sua resposta + Log do HJT,atualizado.

 

Abraços!

[Educta2008 0]

Apartir da presente, agradeço a atenção!

 

Como solicitado, estou postando o log do combofix. Ressalto que foi difícil gerar o log, pois quando o pc n reinicia no meio do processo, aparecem menssagens de erro que fecham o combofix. Este log foi gerado sem problema depois de algumas tentativas.

 

Os sintomas ainda persistem, e imagino que a tendência é piorarem atpe o windows ficar inacessível.

 

Desde já, grato e até a próxima resposta!

 

Bom, valos aos logs:

 

Combofix:

________________________________________________________________________________

___________________

ComboFix 07-07-30.2 - "Administrador" 2007-10-20 15:55:06.38 [GMT -3:00] - NTFS

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.Verdadeiro

 

 

((((((((((((((((((((((((( Files Created from 2007-09-20 to 2007-10-20 )))))))))))))))))))))))))))))))

 

 

2007-10-20 12:28 <DIR> d-------- C:\LinhaDefensiva

2007-10-20 10:14 <DIR> d--hs---- C:\WINDOWS\ftpcache

2007-10-19 21:36 4,718,592 --a------ C:\DOCUME~1\ADMINI~1\ntuser.dat

2007-10-19 15:11 <DIR> d-------- C:\Arquivos de programas\Activision

2007-10-15 10:55 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DADOSD~1\Apple Computer

2007-10-15 10:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Apple Computer

2007-10-15 10:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Apple

2007-10-15 10:54 <DIR> d-------- C:\Arquivos de programas\QuickTime

2007-10-15 10:54 <DIR> d-------- C:\Arquivos de programas\Apple Software Update

2007-10-10 19:41 <DIR> d-------- C:\Flight One Software

2007-10-08 00:18 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DADOSD~1\uTorrent

2007-10-04 11:34 <DIR> d-------- C:\Arquivos de programas\BitPim

2007-10-03 17:53 65,536 --a------ C:\WINDOWS\system32\a1.dll

2007-10-03 17:53 520,192 --a------ C:\WINDOWS\system32\wscma2u.exe

2007-10-03 17:53 278,528 --a------ C:\WINDOWS\system32\ammpp.dll

2007-10-03 17:53 193,536 --a------ C:\WINDOWS\system32\atomid.exe

2007-10-03 17:53 <DIR> d-------- C:\Arquivos de programas\AnMing

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-10-20 00:56 --------- d-------- C:\Arquivos de programas\eMule

2007-10-19 23:24 --------- d-------- C:\Arquivos de programas\SpywareGuard

2007-10-19 15:10 --------- d-------- C:\Arquivos de programas\Arquivos comuns\InstallShield

2007-10-14 18:16 936 --a------ C:\logMX500.dat

2007-10-10 19:42 729088 --a------ C:\WINDOWS\iun6002.exe

2007-09-06 07:09 801144 --a------ C:\WINDOWS\system32\aswBoot.exe

2007-09-06 07:05 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys

2007-09-06 07:05 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys

2007-09-06 07:03 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys

2007-09-06 07:02 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys

2007-09-06 07:00 95608 --a------ C:\WINDOWS\system32\AvastSS.scr

2007-09-06 07:00 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys

2007-09-04 17:51 --------- d--h----- C:\Arquivos de programas\InstallShield Installation Information

2007-09-03 16:41 68578 --a------ C:\WINDOWS\system32\perfc016.dat

2007-09-03 16:41 427700 --a------ C:\WINDOWS\system32\perfh016.dat

2007-09-02 18:13 --------- d-------- C:\Arquivos de programas\FLV Player

2007-08-26 22:48 131072 --a------ C:\WINDOWS\system32\SKCA32.dll

2007-08-26 22:48 104960 --a------ C:\WINDOWS\system32\KEYLIB32.dll

2007-08-14 13:43 917676 --a------ C:\irunin.dat

2007-08-06 19:55 90 ---hs---- C:\WINDOWS\cnerolf.dat

2007-07-24 21:17 592 --a------ C:\WINDOWS\chgkey.vbs

2007-07-24 00:28 0 -rahs---- C:\MSDOS.SYS

2007-07-24 00:28 0 -rahs---- C:\IO.SYS

2007-07-24 00:28 0 --a------ C:\CONFIG.SYS

2007-07-24 00:28 0 --a------ C:\AUTOEXEC.BAT

2007-07-24 00:26 21844 --a------ C:\WINDOWS\system32\emptyregdb.dat

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe" [2006-04-30 23:07]

"SoundMAX"="C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" [2006-04-10 09:19]

"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 07:06]

"SmcService"="C:\ARQUIV~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

"QuickTime Task"="C:\Arquivos de programas\QuickTime\QTTask.exe" [2007-06-29 06:24]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:45]

"MsnMsgr"="C:\Arquivos de programas\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"MsnMsgr"="C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

 

C:\Documents and Settings\Administrador\Menu Iniciar\Programas\Inicializar\

SpywareGuard.lnk - C:\Arquivos de programas\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

 

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\

Adobe Reader Speed Launch.lnk - C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"=1 (0x1)

 

R0 speedfan;speedfan;C:\WINDOWS\system32\speedfan.sys

R0 Teefer;Teefer for NT;C:\WINDOWS\system32\Drivers\Teefer.sys

R1 AmdK8;AMD Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdK8.sys

R1 wpsdrvnt;wpsdrvnt;\??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\C:\Arquivos de programas\CyberLink\PowerDVD0.fcl

R2 wg3n;SyGate for NT, wg3n;C:\WINDOWS\system32\Drivers\wg3n.sys

R2 wg4n;SyGate for NT, wg4n;C:\WINDOWS\system32\Drivers\wg4n.sys

R2 wg5n;SyGate for NT, wg5n;C:\WINDOWS\system32\Drivers\wg5n.sys

R2 wg6n;SyGate for NT, wg6n;C:\WINDOWS\system32\Drivers\wg6n.sys

R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service;C:\WINDOWS\system32\drivers\ADIHdAud.sys

R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys

R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys

R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys

R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys

R3 MTsensor;ATK0110 ACPI UTILITY;C:\WINDOWS\system32\DRIVERS\ASACPI.sys

R3 SenFiltService;SenFilt Service;C:\WINDOWS\system32\drivers\Senfilt.sys

S3 usbbus;LGE CDMA Composite USB Device;C:\WINDOWS\system32\DRIVERS\lgusbbus.sys

S3 UsbDiag;LGE CDMA USB Serial Port;C:\WINDOWS\system32\DRIVERS\lgUsbDiag.sys

S3 USBModem;LGE CDMA USB Modem;C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys

S3 vncdrv;vncdrv;C:\WINDOWS\system32\DRIVERS\vncdrv.sys

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

AutoRun\command- F:\LaunchU3.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cd25fa28-5575-11dc-a21e-0018f3b257f1}]

AutoRun\command- F:\LaunchU3.exe

 

 

Contents of the 'Scheduled Tasks' folder

2007-10-15 13:54:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Arquivos de programas\Apple Software Update\SoftwareUpdate.exe

 

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-10-20 15:56:50

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden registry entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-10-20 15:57:11

C:\ComboFix2.txt ... 2007-10-20 15:42

C:\ComboFix3.txt ... 2007-10-20 15:26

 

--- E O F ---

________________________________________________________________________________

_________________

HJ this:

 

Logfile of HijackThis v1.99.1

Scan saved at 15:57:41, on 20/10/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\savedump.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Sygate\SPF\smc.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe

C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Arquivos de programas\SpywareGuard\sgmain.exe

C:\Arquivos de programas\SpywareGuard\sgbhp.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\setup\avast.setup

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Administrador\Desktop\segurança do pc\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Arquivos de programas\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [smcService] C:\ARQUIV~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\QTTask.exe" -atboottime

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O4 - Startup: SpywareGuard.lnk = C:\Arquivos de programas\SpywareGuard\sgmain.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Arquivos de programas\Sygate\SPF\smc.exe

[DigRam 144]

Boa Noite Educta2008!

 

>@< Faça o download do SmitfraudFix.

>@< Salve-o no Disco Local-C e descompacte-o aí mesmo,enviando o executável ( SmitfraudFix.cmd ),para o Desktop.

>@< Reinicie o computador em Modo de Segurança!

>@< Execute o SmitfraudFix.cmd <!>

>@< Aperte a opção 2 >> Enter.

>@< Quando aparecer a mensagem: Do you want to clean the registry,aperte a opção Y >> Enter.

>@< Reinicie,normalmente,o computador!

>@< Caso tenha ocorrido mudanças,no desktop,corrija nas propriedades de vídeo.( Tema )

>@< Copie o Log ( rapport.txt ) e poste,na sua resposta.

 

Abraços!

[Educta2008 0]

Realmente estou mto satisfeito com a atenção DigRam!Como foi pedido, executei o programa dentro do que foi pedido.Na primeira tentativa, assim que li "Do you want to clean the registry" apertei a tecla y, o computador reiniciou automaticamente.Depois tentei novamente, e o processo foi executado com sucesso gerando o log em seguida. Após isso, reiniciei o pc e percebi que o desktop foi modificado.Grato, grande abraço! Torço para que meu problema seja eliminado.Estou postando somento o log gerado em rapport.txt:_______________________________________________SmitFraudFix v2.240Scan done at 10:31:08,56, dom 21/10/2007Run from C:\Documents and Settings\Administrador\DesktopOS: Microsoft Windows XP [versÆo 5.1.2600] - Windows_NTThe filesystem type is NTFSFix run in safe mode»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll»»»»»»»»»»»»»»»»»»»»»»»» Killing process»»»»»»»»»»»»»»»»»»»»»»»» hosts»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 FixS!Ri's WS2Fix: LSP not Found.»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos FixGenericRenosFix by S!Ri»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files»»»»»»»»»»»»»»»»»»»»»»»» DNSHKLM\SYSTEM\CCS\Services\Tcpip\..\{A1F0ED2F-3165-4313-B110-574356DE5EA0}: DhcpNameServer=201.17.0.14 201.17.0.12HKLM\SYSTEM\CS1\Services\Tcpip\..\{A1F0ED2F-3165-4313-B110-574356DE5EA0}: DhcpNameServer=201.17.0.14 201.17.0.12HKLM\SYSTEM\CS2\Services\Tcpip\..\{A1F0ED2F-3165-4313-B110-574356DE5EA0}: DhcpNameServer=201.17.0.14 201.17.0.12HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=201.17.0.14 201.17.0.12HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=201.17.0.14 201.17.0.12HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=201.17.0.14 201.17.0.12»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"System"=""»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll»»»»»»»»»»»»»»»»»»»»»»»» End

[DigRam 144]

Bom Dia Educta2008!

 

>@< Desinstale: < SpywareGuard >

___________________

 

>@< Faça o download do a-squared Free 3.0

>@< Desabilite a proteção residente do SpyBot e do Avast,ao executar o a-squared.

>@< Abra o programa e clique em: Atualizar agora >> Aguarde!

>@< Terminando,clique em: Analisar agora.

>@< Procure fazer,esta análise,em Modo de Segurança!

>@< Escolha a opção: A fundo.

>@< Clique em Analisar!

>@< Terminando,envie os ítens encontrados para a quarentena. Aonde,daí,serão excluídos ou restaurados.

>@< Salve o relatório,desta verificação,e poste na sua resposta + HJT,atualizado.

 

Abraços!

[Educta2008 0]

Olá!

 

Pois bem:

 

O SpywareGuard foi desinstalado;

 

A análise foi feita no modo de segurança com rede com a-squared. Foram encontrados 20 objetos de risco médio e baixo;

 

Para constar, o Avast encontra-se travado por algum malware. Ignora atualização, não realiza análise no pc (acusa que algun arquivo foi destruído) e não ativa as proteções residentes (acusa erro de rpc). Não é possível desinstalar o antivirus também. Estou ignorando isto, pois acredito que ao serem eliminados os malwares, o avast voltará ao normal.

 

O relatório da análise a-squared foi salvo. Aqui está e, em seguida, o log do HJT:

___________________________________________________

a-squared Free - Versão 3.0

Last update: 22/10/2007 14:28:40

 

Configurações da análise:

 

Objetos: Memória, Rastros, Cookies, C:\, E:\

Análise de arquivos: Ligado

Heurística: Ligado

Análise de ADS: Ligado

 

Início da análise: 22/10/2007 14:32:02

 

c:\arquivos de programas\ultravnc detectado: Trace.Directory.UltraVNC

Key: HKEY_LOCAL_MACHINE\software\orl\winvnc3 detectado: Trace.Registry.VNC.CommonComponents

Value: HKEY_CLASSES_ROOT\CLSID\{18BBDF4D-611D-41CE-A7E7-B2DD23C250D1}\InprocServer32 --> ThreadingModel detectado: Trace.Registry. Spybouncer

Value: HKEY_CLASSES_ROOT\CLSID\{DB90DEA9-0897-4B02-9FE0-1E321A22EAB0}\InprocServer32 --> ThreadingModel detectado: Trace.Registry. Spybouncer

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{18BBDF4D-611D-41CE-A7E7-B2DD23C250D1}\InprocServer32 --> ThreadingModel detectado: Trace.Registry. Spybouncer

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DB90DEA9-0897-4B02-9FE0-1E321A22EAB0}\InprocServer32 --> ThreadingModel detectado: Trace.Registry. Spybouncer

C:\Documents and Settings\Administrador\Cookies\administrador@atdmt[2].txt detectado: Trace.TrackingCookie

C:\Documents and Settings\Administrador\Cookies\administrador@server.iad.liveperson[1].txt detectado: Trace.TrackingCookie

C:\Documents and Settings\Administrador\Cookies\administrador@server.iad.liveperson[2].txt detectado: Trace.TrackingCookie

C:\Documents and Settings\Administrador\Desktop\segurança do pc\SmitfraudFix.zip/Process.exe detectado: Riskware.RiskTool.Win32.Processor.20

C:\Documents and Settings\Administrador\Desktop\segurança do pc\SmitfraudFix.zip/Reboot.exe detectado: Riskware.RiskTool.Win32.Reboot.f

C:\Documents and Settings\Administrador\Desktop\UltraVNC-102-Setup.exe detectado: Riskware.RemoteAdmin.Win32.WinVNC.1102

C:\SmitfraudFix\Process.exe detectado: Riskware.RiskTool.Win32.Processor.20

C:\SmitfraudFix\Reboot.exe detectado: Riskware.RiskTool.Win32.Reboot.f

C:\WINDOWS\system32\Process.exe detectado: Riskware.RiskTool.Win32.Processor.20

E:\Flight Sim\Aeronaves\Flight Simulator 2004 - Add-On - Util Active Camera Full FS9.1.rar/AC2004.exe detectado: Riskware.Monitor.Win32.ChatWatch.252

E:\Flight Sim\Aeronaves\Flight Simulator 2004 - Add-On - Util Active Camera Full FS9.1.rar/ActiveCamera1.1 _and_ActiveCamera_2.zip/FS2004 ActiveCamera 1.1 Working & Complete with Patch Crack - Active Camera for Microsoft MS Flight Simulator 2004 - July 4 2004 - God Bless USA.zip/AC2004.exe detectado: Riskware.Monitor.Win32.ChatWatch.252

E:\Flight Sim\Aeronaves\Flight Simulator 2004 - Add-On - Util Active Camera Full FS9.1.rar/AC2004.exe detectado: Riskware.Monitor.Win32.ChatWatch.252

E:\Flight Sim\Aeronaves\Flight Simulator 2004 - Add-On - Util Active Camera Full FS9.1.rar/FS2004 ActiveCamera 1.1 Working & Complete with Patch Crack - Active Camera for Microsoft MS Flight Simulator 2004 - July 4 2004 - God Bless USA.zip/AC2004.exe detectado: Riskware.Monitor.Win32.ChatWatch.252

E:\Flight Sim\Aeronaves\Microsoft Flight Simulator 2004 Add On active camera+crack fs2004.ZIP/AC2004.exe detectado: Riskware.Monitor.Win32.ChatWatch.252

 

Analisado

 

Arquivos: 172608

Objetos: 145352

Cookies: 50

Processos: 12

 

Encontrado

 

Arquivos: 11

Objetos: 6

Cookies: 3

Processos: 0

Chaves do registro: 0

 

Fim da análise: 22/10/2007 15:01:59

Duração da análise: 00:29:57

 

E:\Flight Sim\Aeronaves\Flight Simulator 2004 - Add-On - Util Active Camera Full FS9.1.rar/AC2004.exe Em quarentena Riskware.Monitor.Win32.ChatWatch.252

E:\Flight Sim\Aeronaves\Flight Simulator 2004 - Add-On - Util Active Camera Full FS9.1.rar/ActiveCamera1.1 _and_ActiveCamera_2.zip/FS2004 ActiveCamera 1.1 Working & Complete with Patch Crack - Active Camera for Microsoft MS Flight Simulator 2004 - July 4 2004 - God Bless USA.zip/AC2004.exe Em quarentena Riskware.Monitor.Win32.ChatWatch.252

E:\Flight Sim\Aeronaves\Flight Simulator 2004 - Add-On - Util Active Camera Full FS9.1.rar/AC2004.exe Em quarentena Riskware.Monitor.Win32.ChatWatch.252

E:\Flight Sim\Aeronaves\Flight Simulator 2004 - Add-On - Util Active Camera Full FS9.1.rar/FS2004 ActiveCamera 1.1 Working & Complete with Patch Crack - Active Camera for Microsoft MS Flight Simulator 2004 - July 4 2004 - God Bless USA.zip/AC2004.exe Em quarentena Riskware.Monitor.Win32.ChatWatch.252

E:\Flight Sim\Aeronaves\Microsoft Flight Simulator 2004 Add On active camera+crack fs2004.ZIP/AC2004.exe Em quarentena Riskware.Monitor.Win32.ChatWatch.252

 

Em quarentena

 

Arquivos: 5

Objetos: 0

Cookies: 0

_______________________________________________

Agora o HJT:

________________________________________________

Logfile of HijackThis v1.99.1

Scan saved at 15:10:41, on 22/10/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Administrador\Desktop\segurança do pc\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [smcService] C:\ARQUIV~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\a-squared Free\a2service.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Arquivos de programas\Sygate\SPF\smc.exe

[DigRam 144]

Boa Noite Educta2008!

 

>@< Estando tudo Ok,vá à quarentena do a-squared.

>@< Selecione todo o conteúdo,e clique em Excluir.

______________________

 

>@< Configure o Windows para que mostre: Ver todos os Arquivos,até os ocultos!

>@< Desabilite as proteções residentes de AntiVírus e AntiSpywares!

>@< Faça o download da EliStarA.

>@< Baixe-a para o Desktop!

>@< Faça o download do EliTriIP.

>@< Baixe-o para o Desktop!

>@< Ps: Ambas,as ferramentas,estarão na página descargas ( Descargas > Utilidades SATINFO ).

>@< Selecione as ferramentas ( Uma por vez! ) e clique ao pé da página,no botão Descargar Eli....

>@< Faça o download do Clean.

>@< Salve-o no Disco Local-C e descompacte-o aí mesmo,enviando o executável para o Desktop! ( Atalho. )

>@< O executável é um ícone denominado: clean.cmd.

>@< Reinicie o computador e entre em Modo de Segurança.

>@< Execute,primeiro,a ferramenta: EliStartA.

>@< Vá ao seu ícone e execute-a!

>@< Aceite as condições propostas e aguarde o término do scan.

>@< Aguarde!Pois vai demorar um pouco para concluir a varredura do PC.

>@< Terminando,execute a ferramenta EliTriIP.

>@< O scan desta ferramenta é mais rápido!

>@< Terminando,execute o programa de limpeza profunda ( clean ) com um duplo clique no seu executável.

>@< Abrir-se-á um prompt com três opções: Escolha o dois ( 2 )!

>@< Aperte Enter! >> Aperte Enter,novamente! >> Aguarde!

>@< Aperte Enter,novamente!

>@< Surgirá um relatório ( rapport_clean ),que voçê deverá copiar e postar para análise.

______________________

 

>@< Poste o relatório infoSAT.txt que está na raíz C:\ ( Disco Local-C ) + rapport_clean.

>@< Poste,também,um nôvo Log do HijackThis,feito em Modo Normal,na sua resposta.

>@< Ps: A ferramenta EliStarA,deletará (Opcional! ) a sua página inicial!Posteriormente,voçê à configurará novamente.

 

Abraços!

[Educta2008 0]

Olá DigRam!

 

Executei tudo como foi pedido, sem deixar nada de fora.

 

Tudo foi feito no modo de segurança, pois o pc nao esta mais abrindo no modo normal.

 

Quanto aos logs:

 

As ferramentas ELI Start... e ELI TRI IP foram oK...

o Clean não funcionou como esperado. Quando se escolhe qualquer opção, na hora de executá-la, aparece a mensagem:

_____________________________________________

A CPU NTVDM encontrou uma instrução nao permitida.

CS:0000 IP:000b OP:f0 8b 01 70 00 Escolha fechar para finalizar o aplicativo

------------------------------------------------------------------------------------------

 

No entanto, ele gera um log incompleto.

 

Quanto ao HJT, vou postar um log feito no modo de segurança mesmo, já que n posso abrir em modo normal.

 

Pois é..tá crítico a coisa!

Abraços!

 

Vou postar os 3 logs:

 

INFOSAT:

 

________________________________________________________________________________

________________________________________________________________________________

____

 

Tue Oct 23 23:57:50 2007

EliStartPage v14.89 ©2007 S.G.H. / Satinfo S.L.

--------------------------------------------------

Lista de Acciones (por Acción Directa):

No detectado Parche MS06-001 de Microsoft instalado. (WMF)

No detectado Parche MS06-070 de Microsoft instalado. (SServidor)

ALERTA. WindowsUpdate Incompleto.

Eliminadas las Paginas de Inicio y de Busqueda del IE

Eliminados Ficheros Temporales del IE

 

Tue Oct 23 23:58:19 2007

EliStartPage v14.89 ©2007 S.G.H. / Satinfo S.L.

--------------------------------------------------

Lista de Acciones (por Exploración):

Explorando Unidad C:\

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Database Replication\WZCNFLCT.EXE --> Eliminado, AutoRun.IZ

C:\Arquivos de programas\CyberLink\PowerDVD\QT3SUPPORT4.DLL --> Eliminado, ISTBar

C:\ComboFix\NIRCMD.EXE --> Eliminado, Tool-NirCmd

C:\WINDOWS\NIRCMD.EXE --> Eliminado, Tool-NirCmd

C:\WINDOWS\assembly\GAC\System.Drawing.Design.resources\1.0.5000.0_pt-BR_b03f5f7f11d50a3a\SYSTEM.DRAWING.DESIGN.RESOURCES.DLL --> Eliminado, MalWare.Celular

C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\pt-BR\SYSTEM.DRAWING.DESIGN.RESOURCES.DLL --> Eliminado, MalWare.Celular

 

Nº Total de Directorios: 7179

Nº Total de Ficheros: 107117

Nº de Ficheros Analizados: 7402

Nº de Ficheros Infectados: 6

Nº de Ficheros Limpiados: 6

 

Wed Oct 24 00:01:11 2007

EliStartPage v14.89 ©2007 S.G.H. / Satinfo S.L.

--------------------------------------------------

Lista de Acciones (por Exploración):

Explorando Unidad E:\

 

Nº Total de Directorios: 209

Nº Total de Ficheros: 4330

Nº de Ficheros Analizados: 157

Nº de Ficheros Infectados: 0

Nº de Ficheros Limpiados: 0

 

Wed Oct 24 00:01:20 2007

EliStartPage v14.89 ©2007 S.G.H. / Satinfo S.L.

--------------------------------------------------

Lista de Acciones (por Exploración):

Explorando Unidad C:\

 

Nº Total de Directorios: 7179

Nº Total de Ficheros: 107111

Nº de Ficheros Analizados: 7396

Nº de Ficheros Infectados: 0

Nº de Ficheros Limpiados: 0

 

Wed Oct 24 00:03:38 2007

EliTriIP v4.03 ©2007 S.G.H. / Satinfo S.L.

---------------------------------------------

Lista de Acciones (por Acción Directa):

No detectado Parche MS06-001 de Microsoft instalado. (WMF)

No detectado Parche MS06-070 de Microsoft instalado. (SServidor)

ALERTA. WindowsUpdate Incompleto.

 

Wed Oct 24 00:03:46 2007

EliTriIP v4.03 ©2007 S.G.H. / Satinfo S.L.

---------------------------------------------

Lista de Acciones (por Exploración):

Explorando Unidad C:\

 

Wed Oct 24 00:03:58 2007

EliTriIP v4.03 ©2007 S.G.H. / Satinfo S.L.

---------------------------------------------

Lista de Acciones (por Acción Directa):

No detectado Parche MS06-001 de Microsoft instalado. (WMF)

No detectado Parche MS06-070 de Microsoft instalado. (SServidor)

ALERTA. WindowsUpdate Incompleto.

 

Wed Oct 24 00:04:08 2007

EliTriIP v4.03 ©2007 S.G.H. / Satinfo S.L.

---------------------------------------------

Lista de Acciones (por Exploración):

Explorando Unidad E:\

 

Nº Total de Directorios: 209

Nº Total de Ficheros: 4330

Nº de Ficheros Analizados: 231

Nº de Ficheros Infectados: 0

Nº de Ficheros Limpiados: 0

 

Wed Oct 24 00:04:14 2007

EliTriIP v4.03 ©2007 S.G.H. / Satinfo S.L.

---------------------------------------------

Lista de Acciones (por Exploración):

Explorando Unidad C:\

 

Nº Total de Directorios: 7179

Nº Total de Ficheros: 107114

Nº de Ficheros Analizados: 6689

Nº de Ficheros Infectados: 0

Nº de Ficheros Limpiados: 0

 

Wed Oct 24 00:08:13 2007

EliStartPage v14.89 ©2007 S.G.H. / Satinfo S.L.

--------------------------------------------------

Lista de Acciones (por Acción Directa):

No detectado Parche MS06-001 de Microsoft instalado. (WMF)

No detectado Parche MS06-070 de Microsoft instalado. (SServidor)

ALERTA. WindowsUpdate Incompleto.

Eliminadas las Paginas de Inicio y de Busqueda del IE

Eliminados Ficheros Temporales del IE

 

Wed Oct 24 00:08:17 2007

EliStartPage v14.89 ©2007 S.G.H. / Satinfo S.L.

--------------------------------------------------

Lista de Acciones (por Exploración):

Explorando Unidad C:\

 

Nº Total de Directorios: 7180

Nº Total de Ficheros: 107080

Nº de Ficheros Analizados: 7398

Nº de Ficheros Infectados: 0

Nº de Ficheros Limpiados: 0

 

Wed Oct 24 00:11:22 2007

EliTriIP v4.03 ©2007 S.G.H. / Satinfo S.L.

---------------------------------------------

Lista de Acciones (por Acción Directa):

No detectado Parche MS06-001 de Microsoft instalado. (WMF)

No detectado Parche MS06-070 de Microsoft instalado. (SServidor)

ALERTA. WindowsUpdate Incompleto.

 

Wed Oct 24 00:11:28 2007

EliTriIP v4.03 ©2007 S.G.H. / Satinfo S.L.

---------------------------------------------

Lista de Acciones (por Exploración):

Explorando Unidad C:\

 

Nº Total de Directorios: 7180

Nº Total de Ficheros: 107080

Nº de Ficheros Analizados: 6689

Nº de Ficheros Infectados: 0

Nº de Ficheros Limpiados: 0

 

Nº Total de Directorios: 4119

Nº Total de Ficheros: 30635

Nº de Ficheros Analizados: 2383

Nº de Ficheros Infectados: 0

Nº de Ficheros Limpiados: 0

Exploración Detenida por el Usuario.

_______________________________________________________________________________

_______________________________________________________________________________

Rapport Clean:

Script executed in Safe Mode

Rapport clean par Malekal_morte - http://www.malekal.com

Script executed in Safe Mode 2007-10-24 a 11:39:32.96

 

Microsoft Windows XP [versÆo 5.1.2600]

 

*** Suppression C:

 

*** Suppression C:\WINDOWS\

 

*** Suppression C:\WINDOWS\system32

 

*** Suppression C:\Arquivos de programas

________________________________________________________________________________

________________________________________________________________________________

 

HJT no modo seguro

________________________________________________________________________________

_

________________________________________________________________________________

 

Logfile of HijackThis v1.99.1

Scan saved at 11:46, on 2007-10-24

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Administrador\Desktop\segurança do pc\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [smcService] C:\ARQUIV~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\a-squared Free\a2service.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Arquivos de programas\Sygate\SPF\smc.exe

[DigRam 144]

Boa Noite Educta2008!

 

>@< Manualmente,delete os arquivos em destaque:

 

C:\WINDOWS\iun6002.exe

C:\irunin.dat

C:\WINDOWS\cnerolf.dat

 

>@< Abra o HijackThis e clique em: Do a system scan only.

>@< Marque as entradas,logo abaixo,e clique em: Fix checked.

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O11 - Options group: [iNTERNATIONAL] International*

>@< Não podendo,ainda,reiniciar em Modo Normal,tente restaurar o computador pela RS.

>@< Veja se existe um Ponto de Restauração,disponível.

>@< Vá em Iniciar >> Todos os programas >> Acessórios >> Ferramentas do sistema >> Restauração do sistema.

>@< Marque: Restaurar o computador mais cedo.

>@< Clique em Avançar!

>@< Busque um ponto de restauração,anterior ao problema.

__________________________

 

>@< Caso não disponha desse ponto,repare o Windows pelo CD de instalação!

>@< Se o seu computador,está configurado para iniciar através do Driver de CD-ROM,então insira o CD de instalação do Windows XP e reinicie o computador.

>@< Quando surgir uma mensagem,aperte qualquer tecla para iniciar,através do CD.

>@< Aceite a solicitação: Pressione a tecla Enter para configurar o Windows XP agora.

>@< Não selecione a opção de pressionar a tecla R,para utilizar o console de recuperação.

>@< No acordo de licença do Windows XP,pressione a tecla F8 para concordar com os termos.

>@< Confira se sua instalação atual do Windows XP,está selecionada e,então aperte R para reparar o Windows XP.

>@< Siga as instruções,dadas na tela,para completar a restauração.

_________________

 

>@< Caso encontre outra solução,mais eficiente,pode executá-la!

 

Abraços!

[Educta2008 0]

Olá! Demorei, mas consegui fzr a restaruação do sistema do XP.

 

Agora, por vezes é possível acessar o pc pelo modo normal.

 

Estou postando um novo log do Hjt para o atual estado do pc:

 

Logfile of HijackThis v1.99.1

Scan saved at 17:55:30, on 26/10/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Sygate\SPF\smc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\a-squared Free\a2service.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Documents and Settings\Administrador\Desktop\segurança do pc\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Arquivos de programas\SpywareGuard\dlprotect.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [smcService] C:\ARQUIV~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\a-squared Free\a2service.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Arquivos de programas\Sygate\SPF\smc.exe

[DigRam 144]

Boa Tarde Educta2008!

 

>@< Faça o download do SilentRunners.

>@< Baixe-o para o Desktop!

>@< Descompacte-o e extraia o arquivo ( Executável ): SilentRunners.vbs para o Disco Local-C.

>@< Dê um duplo clique nesse arquivo!

>@< Aguarde!Pois será gerado um relatório ( Startup Programs xxxx data ).Onde xxxx é o nome do usuário!

>@< Poste,na sua resposta,um novo Log do HijackThis+Startup Programs xxxx data.

 

Abraços!

[Educta2008 0]

Olá!

 

executei e gerei os logs. Fiz no modo seguro.

 

"Silent Runners.vbs", revision 52, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"MsnMsgr" = ""C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background" [MS]

"SpybotSD TeaTimer" = "C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"SoundMAXPnP" = "C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe" ["Analog Devices, Inc."]

"SoundMAX" = ""C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray" ["Analog Devices, Inc."]

"SmcService" = "C:\ARQUIV~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]

"QuickTime Task" = ""C:\Arquivos de programas\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]

"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "AcroIEHlprObj Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"

-> {HKLM...CLSID} = "SpywareGuardDLBLOCK.CBrowserHelper"

\InProcServer32\(Default) = "C:\Arquivos de programas\SpywareGuard\dlprotect.dll" [file not found]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\ARQUIV~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Windows Live Sign-in Helper"

\InProcServer32\(Default) = "C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensão do 'Painel de controle' para panorâmica de vídeo"

-> {HKLM...CLSID} = "Extensão do 'Painel de controle' para panorâmica de vídeo"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensão de ícone do HyperTerminal"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

-> {HKLM...CLSID} = "DesktopContext Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

-> {HKLM...CLSID} = "NVIDIA CPL Extension"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

-> {HKLM...CLSID} = "Desktop Explorer"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

-> {HKLM...CLSID} = "nView Desktop Context Menu"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"

-> {HKLM...CLSID} = "Minhas Pastas de Compartilhamento"

\InProcServer32\(Default) = "C:\Arquivos de programas\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Arquivos de programas\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

-> {HKLM...CLSID} = "avast"

\InProcServer32\(Default) = "C:\Arquivos de programas\Alwil Software\Avast4\ashShell.dll" [file not found]

"{81559C35-8464-49F7-BB0E-07A383BEF910}" = (no title provided)

-> {HKLM...CLSID} = "SpywareGuard.Handler"

\InProcServer32\(Default) = "C:\Arquivos de programas\SpywareGuard\spywareguard.dll" [file not found]

"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Dispositivos Plug and Play universais"

-> {HKLM...CLSID} = "Dispositivos Plug and Play universais"

\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<<!>> "{81559C35-8464-49F7-BB0E-07A383BEF910}" = (no title provided)

-> {HKLM...CLSID} = "SpywareGuard.Handler"

\InProcServer32\(Default) = "C:\Arquivos de programas\SpywareGuard\spywareguard.dll" [file not found]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

-> {HKLM...CLSID} = "WPDShServiceObj Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

 

HKLM\Software\Classes\PROTOCOLS\Filter\

<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

 

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

 

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

-> {HKLM...CLSID} = "avast"

\InProcServer32\(Default) = "C:\Arquivos de programas\Alwil Software\Avast4\ashShell.dll" [file not found]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

 

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

 

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

-> {HKLM...CLSID} = "avast"

\InProcServer32\(Default) = "C:\Arquivos de programas\Alwil Software\Avast4\ashShell.dll" [file not found]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

 

 

Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------

 

Note: detected settings may not have any effect.

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

 

"ForceClassicControlPanel" = (REG_DWORD) hex:0x00000001

{unrecognized setting}

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

 

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

 

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

 

"NoInternetOpenWith" = (REG_DWORD) hex:0x00000001

{unrecognized setting}

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Configurações locais\Dados de aplicativos\Microsoft\Wallpaper1.bmp"

 

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Microsoft\Wallpaper1.bmp"

 

 

Startup items in "Administrador" & "All Users" startup folders:

---------------------------------------------------------------

 

WARNING! "All Users" startup folder not found!

 

 

Enabled Scheduled Tasks:

------------------------

 

"AppleSoftwareUpdate" -> launches: "C:\Arquivos de programas\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

 

Transport Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Explorer Bars

 

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

 

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Pesquisar"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\ARQUIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL" [MS]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Pesquisar"

 

 

All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):

---------------------------------------------------------------------------

 

.NET Runtime Optimization Service v2.0.50727_X86, clr_optimization_v2.0.50727_32, "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" [MS]

a-squared Free Service, a2free, ""C:\Arquivos de programas\a-squared Free\a2service.exe"" ["Emsi Software GmbH"]

ASP.NET State Service, aspnet_state, "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe" [MS]

Cyberlink RichVideo Service(CRVS), RichVideo, ""C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe"" [empty string]

Machine Debug Manager, MDM, ""C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]

Office Source Engine, ose, ""C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Source Engine\OSE.EXE"" [MS]

Serviço administrativo do gerenciador de disco lógico, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]

Serviço de Compartilhamento de Pastas Messenger do USN Journal Reader, usnjsvc, ""C:\Arquivos de programas\MSN Messenger\usnsvc.exe"" [MS]

Serviço de Compartilhamento de Rede do Windows Media Player, WMPNetworkSvc, ""C:\Arquivos de programas\Windows Media Player\WMPNetwk.exe"" [MS]

Serviço de Configuração de Rede, xmlprov, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\xmlprov.dll" [MS]}

Serviço de Número de Série de Mídia Portátil, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\MsPMSNSv.dll" [MS]}

Sygate Personal Firewall, SmcService, "C:\Arquivos de programas\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]

Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]}

 

 

Print Monitors:

---------------

 

HKLM\System\CurrentControlSet\Control\Print\Monitors\

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

 

 

---------- (launch time: 2007-10-27 20:05:23)

<<!>>: Suspicious data at a malware launch point.

 

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

DLL launch points, use the -supp parameter or answer "No" at the

first message box and "Yes" at the second message box.

---------- (total run time: 23 seconds, including 4 seconds for message boxes)

 

================================================================

Agora o HJT

 

 

Logfile of HijackThis v1.99.1

Scan saved at 20:09, on 2007-10-27

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\Notepad.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Documents and Settings\Administrador\Desktop\segurança do pc\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Arquivos de programas\SpywareGuard\dlprotect.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [smcService] C:\ARQUIV~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\a-squared Free\a2service.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Arquivos de programas\Sygate\SPF\smc.exe

[DigRam 144]

Bom Dia Educta2008!

 

>@< Faça um escaneamento de desinfecção em < BitDefender > e poste o relatório.

>@< Clique em BitDefender ( Scan OnLine ).

>@< Abrirá a página: < BitDefender OnLine Scanner >

>@< Clique em I Agree.

>@< Aguarde!Permita a instalação do ActiveX,para que possa ocorrer o scan.

>@< Poste,então: Relatório do BitDefender + Log do HijackThis,atualizado.

 

Abraços!

[Sam Spade 2]

Tópico Arquivado

 

Como o autor não respondeu por mais de 20 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.