[Arquivado] o combofix pegou algo de estranho

[Edvan 30]

Logfile of HijackThis v1.99.1

Scan saved at 19:21:04, on 26/5/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\winhost.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\Arquivos de programas\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe

C:\Arquivos de programas\internet explorer\iexplore.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Arquivos de programas\Windows Live Toolbar\msn_sl.exe

C:\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [NvGraphicsInterface] C:\winhost.exe

O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Arquivos de programas\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Estatísticas do Antivírus da Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

 

 

 

ComboFix 08-05-25.5 - Helena 2008-05-26 18:30:03.1 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.84 [GMT -3:00]

Executando de: C:\Documents and Settings\Helena\Desktop\ComboFix.exe

* Criado um novo ponto de restauro

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\start.exe

C:\WINDOWS\Web\default.htt

 

.

((((((((((((((((((((((( Ficheiros criados de 2008-04-26 to 2008-05-26 ))))))))))))))))))))))))))))))))

.

 

2008-05-26 18:08 . 2008-05-26 18:08 268 --ah----- C:\sqmdata10.sqm

2008-05-26 18:08 . 2008-05-26 18:08 244 --ah----- C:\sqmnoopt10.sqm

2008-05-24 13:01 . 2008-05-24 13:01 <DIR> d--hs---- C:\FOUND.000

2008-05-21 17:22 . 2008-05-21 17:22 <DIR> d--hs---- C:\FOUND.114

2008-05-20 12:20 . 2008-05-20 12:20 <DIR> d--hs---- C:\FOUND.113

2008-05-20 12:20 . 2008-05-20 14:31 90,112 --a------ C:\WINDOWS\DUMP3af5.tmp

2008-05-20 12:20 . 2008-05-24 13:27 90,112 --a------ C:\WINDOWS\DUMP2aa9.tmp

2008-05-20 11:59 . 2008-05-20 11:59 29,696 --a------ C:\winhost.exe

2008-05-20 07:48 . 2008-05-20 07:48 <DIR> d--hs---- C:\FOUND.112

2008-05-18 10:05 . 2008-05-18 10:05 <DIR> d--hs---- C:\FOUND.111

2008-05-18 09:35 . 2008-05-18 09:35 <DIR> d--hs---- C:\FOUND.110

2008-05-17 20:55 . 2008-05-17 20:55 <DIR> d--hs---- C:\FOUND.109

2008-05-17 19:21 . 2008-05-17 19:21 <DIR> d--hs---- C:\FOUND.108

2008-04-30 10:38 . 2008-04-30 10:38 <DIR> d--hs---- C:\FOUND.107

2008-04-29 13:00 . 2008-04-29 13:00 <DIR> d--hs---- C:\FOUND.106

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-10 23:36 1,386,496 ----a-w C:\WINDOWS\SYSTEM32\msvbvm60.dll

2008-03-25 04:49 621,344 ----a-w C:\WINDOWS\SYSTEM32\mswstr10.dll

2008-03-25 04:49 621,344 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mswstr10.dll

2008-03-25 04:49 183,072 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll

2008-03-25 04:49 183,072 ----a-w C:\WINDOWS\SYSTEM32\dllcache\msjint40.dll

2008-03-20 08:09 1,845,376 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys

2008-03-20 08:09 1,845,376 ----a-w C:\WINDOWS\SYSTEM32\dllcache\win32k.sys

2006-12-31 22:23 266 --sh--w C:\Arquivos de programas\desktop.ini

2006-12-31 22:23 11,280 ---h--w C:\Arquivos de programas\folder.htt

2006-12-31 23:34 1,682 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys

2006-12-31 23:34 56 --sh--r C:\WINDOWS\SYSTEM32\6874F3DF51.sys

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]

@={7D688A77-C613-11D0-999B-00C04FD655E1}

 

[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]

2007-10-25 14:57 8484352 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avgnt"="C:\Arquivos de programas\AntiVir\avgnt.exe" [2007-04-02 10:35 327720]

"NvGraphicsInterface"="c:\winhost.exe" [2008-05-20 11:59 29696]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:45 15360]

 

C:\WINDOWS\All Users\Menu Iniciar\Programas\Iniciar\

Wireless Configuration Utility HW.51.lnk - C:\Arquivos de programas\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe [2004-12-15 10:41:28 454656]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.VDOM"= vdowave.drv

"VIDC.MJPG"= pvmjpg20.dll

 

[HKLM\~\startupfolder\C:^WINDOWS^All Users^Menu Iniciar^Programas^Iniciar^HP Digital Imaging Monitor.lnk]

path=C:\WINDOWS\All Users\Menu Iniciar\Programas\Iniciar\HP Digital Imaging Monitor.lnk

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

--a------ 2004-08-04 00:45 15360 C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2006-02-19 02:41 49152 C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2007-01-19 12:54 5674352 C:\Arquivos de programas\MSN Messenger\MsnMsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

--a------ 2003-12-08 17:35 32768 C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

-ra------ 2005-06-20 11:42 77824 C:\WINDOWS\SOUNDMAN.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

--a------ 2007-08-22 15:27 68856 C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]

--a------ 2001-10-28 12:07 3072 C:\WINDOWS\SYSTEM32\systray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]

-ra------ 2004-09-01 06:28 53248 C:\WINDOWS\SYSTEM32\VTTimer.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]

"IrMon"=IrMon.exe

"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"C:\\Arquivos de programas\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"C:\\Arquivos de programas\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"C:\\Arquivos de programas\\Messenger\\MSMSGS.EXE"=

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

"c:\\winhost.exe"=

 

 

*Newly Created Service* - CATCHME

.

Conteúdo da pasta 'Tarefas Agendadas'

"2008-05-03 22:00:02 C:\WINDOWS\Tasks\Aplicativo de ajuste.job"

"2008-05-24 16:41:06 C:\WINDOWS\Tasks\Verificar Atualizações para a Barra de Ferramentas do Windows Live.job"

- C:\Arquivos de programas\Windows Live Toolbar\MSNTBUP.EXE

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-26 18:31:24

Windows 5.1.2600 Service Pack 2 FAT NTAPI

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

Tempo para conclusão: 2008-05-26 18:31:50

ComboFix-quarantined-files.txt 2008-05-26 21:31:48

 

Pre-Run: 51,874,201,600 bytes disponíveis

Post-Run: 52,222,099,456 bytes disponíveis

 

132 --- E O F --- 2008-05-20 10:53:34

[Silas Martins 0]

Selecione e copie o texto abaixo, Abra o Bloco de notas e copie a entrada abaixo citada:

File::

C:\winhost.exe

 

Salve então, na área de trabalho, com o nome de CFScript.txt

 

Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo.

 

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

 

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando.

 

Reinicie em modo de segurança (aperte F8 até que apareça a tela de opção de modo de segurança)

Execute o HijackThis, clique em e selecione as linhas:

O4 - HKLM\..\Run: [NvGraphicsInterface] C:\winhost.exe

Clique em Fix Checked

Feito isso Reinicie em modo normal e gere um novo log do Hijackthis.

 

Aguardo retorno.

 

Quando acabar, será gerado um log, que estará em C:\ComboFix.txt. Poste-o juntamente com o novo log do hijackthis

[Mário Monteiro 179]

Tópico Arquivado

 

Como o autor não respondeu por mais de 20 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.