[Resolvido] Log do Hijackthis

[Tiago Miranda 0]

To com suspeita de tres entradas que vi no meu msconfig:

 

sempalong.exe

ctfmon.exe( q tem 2 entradas no msconfig apontando pro mesmo lugar )

winhost.exe

 

Segue o Log:

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:48:34, on 10/6/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Boot mode: Normal

 

Running processes:

F:\WINDOWS\System32\smss.exe

F:\WINDOWS\system32\csrss.exe

F:\WINDOWS\system32\winlogon.exe

F:\WINDOWS\system32\services.exe

F:\WINDOWS\system32\lsass.exe

F:\WINDOWS\system32\svchost.exe

F:\WINDOWS\System32\svchost.exe

F:\WINDOWS\system32\spoolsv.exe

D:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

F:\WINDOWS\system32\svchost.exe

D:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

F:\WINDOWS\Explorer.EXE

F:\WINDOWS\system32\wscntfy.exe

D:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

F:\WINDOWS\system32\ctfmon.exe

F:\WINDOWS\system32\wuauclt.exe

F:\Hijack\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://br.rd.yahoo.com/customize/ycomp/def.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://br.rd.yahoo.com/customize/ycomp/def...://br.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O1 - Hosts: <HTML><HEAD><TITLE>Yahoo!</TITLE>

O1 - Hosts: </HEAD><BODY BGCOLOR=white vlink=blue>

O1 - Hosts: <!-- following code added by server. PLEASE REMOVE -->

O1 - Hosts: <!-- preceding code added by server. PLEASE REMOVE --><center>

O1 - Hosts: <table width=675 cellpadding=0 cellspacing=2 border=0>

O1 - Hosts: <tr>

O1 - Hosts: <td width=1% valign=top><a href="http://www.yahoo.com"><img src=http://us.i1.yimg.com/us.yimg.com/i/yahoo.gif width=147 height=31 border=0 alt="Yahoo"></a></td>

O1 - Hosts: <td align=right><font face=arial size=-1><a href="/404/*http://www.yahoo.com">Yahoo!</a> - <a href="http://help.yahoo.com">Help</a></font><hr size=1 noshade></td>

O1 - Hosts: </tr>

O1 - Hosts: </table>

O1 - Hosts: <br>

O1 - Hosts: <table border=0 width=675 cellspacing=0 cellpadding=3>

O1 - Hosts: <tr>

O1 - Hosts: <td bgcolor=003399 colspan=2>

O1 - Hosts: <font face=Arial size=+1 color=white><b>Sorry, the page you requested was not found.</b></font>

O1 - Hosts: </td>

O1 - Hosts: </tr></table>

O1 - Hosts: <br>

O1 - Hosts: <table border=0 width=675 cellspacing=0 cellpadding=1>

O1 - Hosts: <tr>

O1 - Hosts: <td valign=top width=229 bgcolor=ffffff>

O1 - Hosts: <table width="100%" cellpadding=1 cellspacing=0 border=0 bgcolor=dcdcdc><tr>

O1 - Hosts: <td valign=top align=center><table width="100%" cellpadding=3 cellspacing=0 border=0 bgcolor=ffffff>

O1 - Hosts: <tr bgcolor=dcdcdc><td><font face=arial><b>Search Yahoo!</b></font></td></tr>

O1 - Hosts: <tr bgcolor=white><td valign=top align=center>

O1 - Hosts: <form action="http://search.yahoo.com/search">

O1 - Hosts: <input size="14" name="p" value="">

O1 - Hosts: <input type="SUBMIT" value="Search">

O1 - Hosts: <font face=arial size=-2>• <a href="http://search.yahoo.com/search/options?p=">advanced search</a> • <a href="http://buzz.yahoo.com">most popular</a></font>

O1 - Hosts: </form></td></tr></table>

O1 - Hosts: <table width=100% border=0 cellspacing=0 cellpadding=3 bgcolor=ffffff>

O1 - Hosts: <tr bgcolor=ccccff><td>

O1 - Hosts: <FONT face=arial size=+1>Yahoo! Web Hosting</font>

O1 - Hosts: </td></tr>

O1 - Hosts: <tr><td>

O1 - Hosts: <a href=http://webhosting.yahoo.com/ps/wh/prod/><img align=left src=http://us.i1.yimg.com/us.yimg.com/i/us/wh/gr/j_advan48.gif width=48 height=48 border=0 alt="Yahoo! Web Hosting"></a>

O1 - Hosts: <font face=arial size=-1>Yahoo! Web Hosting has <a href="http://webhosting.yahoo.com/ps/wh/prod/">three affordable plans</a> to meet your needs - starting at just $11.95.

O1 - Hosts: </td></tr>

O1 - Hosts: <tr><td align=right>

O1 - Hosts: <b><font face=arial size=-1><a href=http://webhosting.yahoo.com/ps/wh/prod/>Learn more...</a></font></b>

O1 - Hosts: </td></tr>

O1 - Hosts: </table>

O1 - Hosts: </td></tr></table>

O1 - Hosts: </td>

O1 - Hosts: <td width=1> </td>

O1 - Hosts: <td valign=top align=center width=445>

O1 - Hosts: <script language="JavaScript" type="text/javascript"

O1 - Hosts: src="http://adserver.yahoo.com/a?f=76001284&p=geocities&l=MON&c=sr">

O1 - Hosts: </script>

O1 - Hosts: <noscript>

O1 - Hosts: <iframe

O1 - Hosts: src="http://adserver.yahoo.com/a?f=76001284&p=geocities&l=MON&c=sh&bg=ffffff"

O1 - Hosts: width=470 height=580 marginwidth=0 marginheight=0 hspace=0

O1 - Hosts: vspace=0 frameborder=0 scrolling=no>

O1 - Hosts: </iframe>

O1 - Hosts: </noscript>

O1 - Hosts: </td>

O1 - Hosts: </tr>

O1 - Hosts: </table>

O1 - Hosts: <br>

O1 - Hosts: <table cellpadding=0 cellspacing=0 border=0 width=675><tr><td bgcolor=a0b8c8>

O1 - Hosts: <table cellpadding=1 cellspacing=1 border=0 width="100%">

O1 - Hosts: <tr valign=top bgcolor=ffffff><td align=center>

O1 - Hosts: <font face=arial size=-2><A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://address.yahoo.com/">Address Book</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://alerts.yahoo.com/">Alerts</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://auctions.yahoo.com/">Auctions</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://billpay.yahoo.com/">Bill Pay</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://bookmarks.yahoo.com/">Bookmarks</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://briefcase.yahoo.com/">Briefcase</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://broadcast.yahoo.com/">Broadcast</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://calendar.yahoo.com/">Calendar</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://chat.yahoo.com/">Chat</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://classifieds.yahoo.com/">Classifieds</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://clubs.yahoo.com/">Clubs</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://companion.yahoo.com/">Companion</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://experts.yahoo.com/">Experts</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://games.yahoo.com/">Games</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://greetings.yahoo.com/">Greetings</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://geocities.yahoo.com/">Home Pages</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://invites.yahoo.com/">Invites</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://mail.yahoo.com/">Mail</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://maps.yahoo.com/">Maps</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://members.yahoo.com/">Member Directory</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://messenger.yahoo.com/">Messenger</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://my.yahoo.com/">My Yahoo!</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://news.yahoo.com/">News</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://paydirect.yahoo.com/">PayDirect</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://people.yahoo.com/">People Search</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://personals.yahoo.com/">Personals</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://photos.yahoo.com/">Photos</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://shopping.yahoo.com/">Shopping</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://sports.yahoo.com/">Sports</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://finance.yahoo.com/">Stock Quotes</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://tv.yahoo.com/">TV</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://travel.yahoo.com/">Travel</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://weather.yahoo.com/">Weather</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://www.yahooligans.com/">Yahooligans</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://yp.yahoo.com/">Yellow Pages</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://docs.yahoo.com/docs/family/more.html">more...</A>

O1 - Hosts: </font></td></tr></table></td></tr></table>

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - F:\Arquivos de programas\Scpad\scpsssh2.dll

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - F:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - F:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [AVP] "D:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"

O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: Add to Anti-Banner - D:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://D:\ARQUIV~1\MICROS~1\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Arquivos de programas\Messenger\msmsgs.exe

O12 - Plugin for .spop: F:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {9EC30204-384D-11D3-9CA3-00A024F0AF03} (ValidaUsuario Class) - https://cpne.bradesco.com.br/certifexp.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O20 - AppInit_DLLs: D:\ARQUIV~1\KASPER~1\KASPER~2.0\adialhk.dll

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - F:\Arquivos de programas\Scpad\scpLIB.dll

O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - F:\Arquivos de programas\Scpad\scpLIB.dll

O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - D:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: NBService - Nero AG - D:\Arquivos de programas\Nero\Nero 7\Nero Home\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: ServiceLayer - Nokia. - F:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Apache Tomcat (Tomcat6) - Apache Software Foundation - d:\Arquivos de programas\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe

 

--

End of file - 13204 bytes

[DigRam 144]

<!> Bom Dia! Tiago Miranda

 

>@< Faça o download do ComboFix.

>@< Baixe-o para o Desktop!

>@< Desabilite as proteções residente de: antivírus,antispywares e Firewall.

>@< Feche todas as janelas e execute a ferramenta!

 

Caso aconteça a notificação de: Aplicativo Win32 inválido,delete a ferramenta e faça,novamente,o download.

Salve-a no Desktop,renomeada como: Kombo.exe

Ps: Nomeie durante o salvamento,e não após salvá-la!

Ps: Caso ocorra alguma mensagem de erro,rode o ComboFix em Modo de Segurança.

>@< Abrirá a janela Auto Scan. Aguarde!

>@< Digite a opção para continuar e < Enter >

>@< Aguarde a conclusão! Durante o scan,evite tocar no mouse ou teclado!

-------------------------------

>@< Poste o relatório: F:\ComboFix.txt,na sua resposta + Log do HJT,atualizado.

 

Abraços!

[Tiago Miranda 0]

Segue o Log do COmbofix:

 

ComboFix 08-06-10.5 - Tiago 2008-06-11 21:51:38.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.693 [GMT -3:00]

Executando de: F:\Documents and Settings\Tiago\Desktop\ComboFix.exe

* Criado um novo ponto de restauro

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((( Ficheiros criados de 2008-05-12 to 2008-06-12 ))))))))))))))))))))))))))))))))

.

 

2008-06-10 22:48 . 2008-06-10 22:48 <DIR> d-------- F:\Hijack

2008-05-31 19:15 . 2008-05-31 19:15 <DIR> d--h----- F:\WINDOWS\PIF

2008-05-26 21:05 . 2008-05-26 21:05 <DIR> d-------- F:\Documents and Settings\All Users\Dados de aplicativos\Kaspersky Lab Setup Files

2008-05-26 19:45 . 2008-05-26 19:45 <DIR> d-------- F:\Documents and Settings\Tiago\.netbeans-registration

2008-05-21 13:56 . 2008-05-21 13:56 <DIR> d-------- F:\Arquivos de programas\GPLGS

2008-05-21 13:52 . 2008-05-21 13:52 <DIR> d-------- F:\Arquivos de programas\Acro Software

2008-05-21 13:52 . 2007-07-12 22:33 87,552 --a------ F:\WINDOWS\system32\cpwmon2k.dll

2008-05-15 18:06 . 2008-05-18 13:55 <DIR> d-------- F:\Documents and Settings\Luana\Dados de aplicativos\Ahead

2008-05-14 19:50 . 2008-05-29 20:06 151 --a------ F:\WINDOWS\PhotoSnapViewer.INI

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-11 22:44 --------- d-----w F:\Documents and Settings\Luana\Dados de aplicativos\MegauploadToolbar

2008-06-11 22:31 --------- d-----w F:\Documents and Settings\Luana\Dados de aplicativos\Winamp

2008-06-11 01:57 --------- d-----w F:\Documents and Settings\All Users\Dados de aplicativos\Kaspersky Lab

2008-06-11 00:05 --------- d--h--w F:\Arquivos de programas\InstallShield Installation Information

2008-06-11 00:01 --------- d-----w F:\Documents and Settings\All Users\Dados de aplicativos\BVRP Software

2008-06-10 23:26 --------- d-----w F:\Documents and Settings\Tiago\Dados de aplicativos\MegauploadToolbar

2008-06-10 22:01 --------- d-----w F:\Documents and Settings\Luana\Dados de aplicativos\LimeWire

2008-05-23 16:49 --------- d-----w F:\Documents and Settings\Valdir\Dados de aplicativos\MEGAUPLOADTOOLBAR

2008-05-22 17:11 --------- d-----w F:\Documents and Settings\Cátia\Dados de aplicativos\MEGAUPLOADTOOLBAR

2008-05-11 22:31 --------- d-----w F:\Documents and Settings\All Users\Dados de aplicativos\Zylom

2008-05-10 15:28 --------- d-----w F:\Documents and Settings\Tiago\Dados de aplicativos\Ahead

2008-05-10 15:27 --------- d-----w F:\Arquivos de programas\Arquivos comuns\Ahead

2008-05-10 15:25 --------- d-----w F:\Documents and Settings\All Users\Dados de aplicativos\Nero

2008-05-10 14:37 --------- d---a-w F:\Documents and Settings\All Users\Dados de aplicativos\TEMP

2008-05-10 02:47 --------- d-----w F:\Documents and Settings\Cátia\Dados de aplicativos\Dev-Cpp

2008-05-07 20:17 --------- d-----w F:\Documents and Settings\Luana\Dados de aplicativos\FrostWire

2008-05-04 14:54 --------- d-----w F:\Documents and Settings\Cátia\Dados de aplicativos\Media Player Classic

2008-05-04 14:54 --------- d-----w F:\Documents and Settings\Cátia\Dados de aplicativos\DivX

2008-05-01 01:12 --------- d-----w F:\Documents and Settings\Valdir\Dados de aplicativos\CyberLink

2008-04-27 21:04 --------- d-----w F:\Documents and Settings\Cátia\Dados de aplicativos\Winamp

2008-04-20 23:58 --------- d-----w F:\Arquivos de programas\Messenger Plus! Live

2008-01-07 17:41 66,896 -c--a-w F:\Documents and Settings\Tiago\Dados de aplicativos\GDIPFONTCACHEV1.DAT

2007-10-18 23:29 8 -c--a-w F:\Documents and Settings\All Users\Dados de aplicativos\SDGLYBMPWPP.SYS

2007-08-31 00:00 66,896 -c--a-w F:\Documents and Settings\Luana\Dados de aplicativos\GDIPFONTCACHEV1.DAT

2004-10-01 18:00 40,960 ----a-w F:\Arquivos de programas\Uninstall_CDS.exe

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="d:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 20:19 79224]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="F:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:45 15360]

"Nokia.PCSync"="D:\Arquivos de programas\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{A3717295-941D-416F-9384-ED1736729F1C}"= F:\Arquivos de programas\Scpad\scpLIB.dll [2007-03-27 01:29 128512]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"CompIBBrd"= {A3717295-941D-416F-9384-ED1736729F1C} - F:\Arquivos de programas\Scpad\scpLIB.dll [2007-03-27 01:29 128512]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.YV12"= yv12vfw.dll

"msacm.ac3filter"= ac3filter.acm

 

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Microsoft Office.lnk]

path=F:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Microsoft Office.lnk

backup=F:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bron-Spizaetus]

F:\WINDOWS\ShellNew\sempalong.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2004-08-04 00:45 15360 F:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2006-01-12 15:40 155648 F:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvGraphicsInterface]

C:\winhost.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

--------- 2004-11-02 20:24 32768 D:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2008-02-22 04:25 144784 F:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]

-ra------ 2006-08-03 03:53 53248 F:\WINDOWS\system32\VTTimer.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"D:\\Arquivos de programas\\Java\\jdk1.6.0_02\\jre\\bin\\javaw.exe"=

"D:\\Sun\\SDK\\jdk\\bin\\java.exe"=

"F:\\WINDOWS\\system32\\javaw.exe"=

"D:\\Arquivos de programas\\mIRC\\mirc.exe"=

"D:\\Arquivos de programas\\Valve\\hl.exe"=

"D:\\FM 08\\Football_Manager_2008\\Football Manager 2008\\fm.exe"=

"D:\\Arquivos de programas\\Java\\jre1.6.0_02\\bin\\java.exe"=

"D:\\Arquivos de programas\\Java\\jdk1.6.0_02\\jre\\bin\\java.exe"=

"D:\\Arquivos de programas\\Java\\jre1.6.0_02\\bin\\javaw.exe"=

"D:\\Arquivos de programas\\Valve\\hlds.exe"=

"F:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"F:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"F:\\Arquivos de programas\\Java\\jre1.6.0_05\\bin\\java.exe"=

"D:\\Arquivos de programas\\Java\\jdk1.6.0_02\\bin\\java.exe"=

 

R1 aswSP;avast! Self Protection;F:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 20:20]

R2 aswFsBlk;aswFsBlk;F:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 20:16]

S3 Tomcat6;Apache Tomcat;"d:\Arquivos de programas\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe" //RS//Tomcat6 []

S3 usb2vcom;USB to Serial Bridge Controller;F:\WINDOWS\system32\Drivers\usb2vcom.sys [2006-07-16 22:53]

S3 w200bus;Sony Ericsson W200 driver (WDM);F:\WINDOWS\system32\DRIVERS\w200bus.sys [2006-11-07 09:42]

S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;F:\WINDOWS\system32\DRIVERS\w200mdfl.sys [2006-11-07 09:42]

S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;F:\WINDOWS\system32\DRIVERS\w200mdm.sys [2006-11-07 09:42]

S3 Z550bus;Sony Ericsson Z550 driver (WDM);F:\WINDOWS\system32\DRIVERS\Z550bus.sys [2006-03-13 16:37]

S3 Z550mdfl;Sony Ericsson Z550 USB WMC Modem Filter;F:\WINDOWS\system32\DRIVERS\Z550mdfl.sys [2006-03-13 16:37]

S3 Z550mdm;Sony Ericsson Z550 USB WMC Modem Driver;F:\WINDOWS\system32\DRIVERS\Z550mdm.sys [2006-03-13 16:37]

S3 Z550mgmt;Sony Ericsson Z550 USB WMC Device Management Drivers (WDM);F:\WINDOWS\system32\DRIVERS\Z550mgmt.sys [2006-03-13 16:37]

S3 Z550obex;Sony Ericsson Z550 USB WMC OBEX Interface;F:\WINDOWS\system32\DRIVERS\Z550obex.sys [2006-03-13 16:37]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

\Shell\AutoRun\command - G:\autorun.exe

\Shell\dxinstall\command - G:\.\directx\dxsetup.exe

\Shell\readme\command - notepad readme.txt

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]

\Shell\AutoRun\command - H:\Autorun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]

\Shell\AutoRun\command - I:\RunGame.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{45868229-2cf8-11dd-a68e-001a4da48033}]

\Shell\auto\command - Knight.exe open

\Shell\AutoRun\command - F:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open

\Shell\explore\command - Knight.exe open

\Shell\find\command - Knight.exe open

\Shell\install\command - Knight.exe open

\Shell\open\command - Knight.exe open

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4586822a-2cf8-11dd-a68e-001a4da48033}]

\Shell\auto\command - Knight.exe open

\Shell\AutoRun\command - F:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open

\Shell\explore\command - Knight.exe open

\Shell\find\command - Knight.exe open

\Shell\install\command - Knight.exe open

\Shell\open\command - Knight.exe open

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e28594b-aef9-11dc-92ff-001a4da48033}]

\Shell\auto\command - Knight.exe open

\Shell\AutoRun\command - F:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open

\Shell\explore\command - Knight.exe open

\Shell\find\command - Knight.exe open

\Shell\install\command - Knight.exe open

\Shell\open\command - Knight.exe open

 

*Newly Created Service* - CATCHME

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-11 21:53:33

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

Tempo para conclusão: 2008-06-11 21:54:16

ComboFix-quarantined-files.txt 2008-06-12 00:54:11

 

Pre-Run: 1,445,826,560 bytes disponíveis

Post-Run: 1,529,753,600 bytes disponíveis

 

158 --- E O F --- 2008-04-12 15:48:05

 

 

 

 

 

Segue o Log do Hijack:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:57:14, on 11/6/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Boot mode: Normal

 

Running processes:

F:\WINDOWS\System32\smss.exe

F:\WINDOWS\system32\csrss.exe

F:\WINDOWS\system32\winlogon.exe

F:\WINDOWS\system32\services.exe

F:\WINDOWS\system32\lsass.exe

F:\WINDOWS\system32\svchost.exe

F:\WINDOWS\System32\svchost.exe

d:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

d:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

F:\WINDOWS\system32\spoolsv.exe

F:\WINDOWS\system32\svchost.exe

F:\WINDOWS\system32\wscntfy.exe

D:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

F:\WINDOWS\system32\ctfmon.exe

F:\WINDOWS\explorer.exe

F:\Hijack\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O1 - Hosts: <HTML><HEAD><TITLE>Yahoo!</TITLE>

O1 - Hosts: </HEAD><BODY BGCOLOR=white vlink=blue>

O1 - Hosts: <!-- following code added by server. PLEASE REMOVE -->

O1 - Hosts: <!-- preceding code added by server. PLEASE REMOVE --><center>

O1 - Hosts: <table width=675 cellpadding=0 cellspacing=2 border=0>

O1 - Hosts: <tr>

O1 - Hosts: <td width=1% valign=top><a href="http://www.yahoo.com"><img src=http://us.i1.yimg.com/us.yimg.com/i/yahoo.gif width=147 height=31 border=0 alt="Yahoo"></a></td>

O1 - Hosts: <td align=right><font face=arial size=-1><a href="/404/*http://www.yahoo.com">Yahoo!</a> - <a href="http://help.yahoo.com">Help</a></font><hr size=1 noshade></td>

O1 - Hosts: </tr>

O1 - Hosts: </table>

O1 - Hosts: <br>

O1 - Hosts: <table border=0 width=675 cellspacing=0 cellpadding=3>

O1 - Hosts: <tr>

O1 - Hosts: <td bgcolor=003399 colspan=2>

O1 - Hosts: <font face=Arial size=+1 color=white><b>Sorry, the page you requested was not found.</b></font>

O1 - Hosts: </td>

O1 - Hosts: </tr></table>

O1 - Hosts: <br>

O1 - Hosts: <table border=0 width=675 cellspacing=0 cellpadding=1>

O1 - Hosts: <tr>

O1 - Hosts: <td valign=top width=229 bgcolor=ffffff>

O1 - Hosts: <table width="100%" cellpadding=1 cellspacing=0 border=0 bgcolor=dcdcdc><tr>

O1 - Hosts: <td valign=top align=center><table width="100%" cellpadding=3 cellspacing=0 border=0 bgcolor=ffffff>

O1 - Hosts: <tr bgcolor=dcdcdc><td><font face=arial><b>Search Yahoo!</b></font></td></tr>

O1 - Hosts: <tr bgcolor=white><td valign=top align=center>

O1 - Hosts: <form action="http://search.yahoo.com/search">

O1 - Hosts: <input size="14" name="p" value="">

O1 - Hosts: <input type="SUBMIT" value="Search">

O1 - Hosts: <font face=arial size=-2>• <a href="http://search.yahoo.com/search/options?p=">advanced search</a> • <a href="http://buzz.yahoo.com">most popular</a></font>

O1 - Hosts: </form></td></tr></table>

O1 - Hosts: <table width=100% border=0 cellspacing=0 cellpadding=3 bgcolor=ffffff>

O1 - Hosts: <tr bgcolor=ccccff><td>

O1 - Hosts: <FONT face=arial size=+1>Yahoo! Web Hosting</font>

O1 - Hosts: </td></tr>

O1 - Hosts: <tr><td>

O1 - Hosts: <a href=http://webhosting.yahoo.com/ps/wh/prod/><img align=left src=http://us.i1.yimg.com/us.yimg.com/i/us/wh/gr/j_advan48.gif width=48 height=48 border=0 alt="Yahoo! Web Hosting"></a>

O1 - Hosts: <font face=arial size=-1>Yahoo! Web Hosting has <a href="http://webhosting.yahoo.com/ps/wh/prod/">three affordable plans</a> to meet your needs - starting at just $11.95.

O1 - Hosts: </td></tr>

O1 - Hosts: <tr><td align=right>

O1 - Hosts: <b><font face=arial size=-1><a href=http://webhosting.yahoo.com/ps/wh/prod/>Learn more...</a></font></b>

O1 - Hosts: </td></tr>

O1 - Hosts: </table>

O1 - Hosts: </td></tr></table>

O1 - Hosts: </td>

O1 - Hosts: <td width=1> </td>

O1 - Hosts: <td valign=top align=center width=445>

O1 - Hosts: <script language="JavaScript" type="text/javascript"

O1 - Hosts: src="http://adserver.yahoo.com/a?f=76001284&p=geocities&l=MON&c=sr">

O1 - Hosts: </script>

O1 - Hosts: <noscript>

O1 - Hosts: <iframe

O1 - Hosts: src="http://adserver.yahoo.com/a?f=76001284&p=geocities&l=MON&c=sh&bg=ffffff"

O1 - Hosts: width=470 height=580 marginwidth=0 marginheight=0 hspace=0

O1 - Hosts: vspace=0 frameborder=0 scrolling=no>

O1 - Hosts: </iframe>

O1 - Hosts: </noscript>

O1 - Hosts: </td>

O1 - Hosts: </tr>

O1 - Hosts: </table>

O1 - Hosts: <br>

O1 - Hosts: <table cellpadding=0 cellspacing=0 border=0 width=675><tr><td bgcolor=a0b8c8>

O1 - Hosts: <table cellpadding=1 cellspacing=1 border=0 width="100%">

O1 - Hosts: <tr valign=top bgcolor=ffffff><td align=center>

O1 - Hosts: <font face=arial size=-2><A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://address.yahoo.com/">Address Book</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://alerts.yahoo.com/">Alerts</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://auctions.yahoo.com/">Auctions</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://billpay.yahoo.com/">Bill Pay</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://bookmarks.yahoo.com/">Bookmarks</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://briefcase.yahoo.com/">Briefcase</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://broadcast.yahoo.com/">Broadcast</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://calendar.yahoo.com/">Calendar</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://chat.yahoo.com/">Chat</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://classifieds.yahoo.com/">Classifieds</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://clubs.yahoo.com/">Clubs</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://companion.yahoo.com/">Companion</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://experts.yahoo.com/">Experts</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://games.yahoo.com/">Games</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://greetings.yahoo.com/">Greetings</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://geocities.yahoo.com/">Home Pages</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://invites.yahoo.com/">Invites</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://mail.yahoo.com/">Mail</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://maps.yahoo.com/">Maps</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://members.yahoo.com/">Member Directory</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://messenger.yahoo.com/">Messenger</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://my.yahoo.com/">My Yahoo!</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://news.yahoo.com/">News</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://paydirect.yahoo.com/">PayDirect</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://people.yahoo.com/">People Search</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://personals.yahoo.com/">Personals</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://photos.yahoo.com/">Photos</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://shopping.yahoo.com/">Shopping</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://sports.yahoo.com/">Sports</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://finance.yahoo.com/">Stock Quotes</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://tv.yahoo.com/">TV</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://travel.yahoo.com/">Travel</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://weather.yahoo.com/">Weather</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://www.yahooligans.com/">Yahooligans</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://yp.yahoo.com/">Yellow Pages</A> · <A

O1 - Hosts: href="http://rd.yahoo.com/footer/?http://docs.yahoo.com/docs/family/more.html">more...</A>

O1 - Hosts: </font></td></tr></table></td></tr></table>

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - F:\Arquivos de programas\Scpad\scpsssh2.dll

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - F:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - F:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [avast!] d:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://D:\ARQUIV~1\MICROS~1\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Arquivos de programas\Messenger\msmsgs.exe

O12 - Plugin for .spop: F:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {9EC30204-384D-11D3-9CA3-00A024F0AF03} (ValidaUsuario Class) - https://cpne.bradesco.com.br/certifexp.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - F:\Arquivos de programas\Scpad\scpLIB.dll

O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - F:\Arquivos de programas\Scpad\scpLIB.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - d:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - d:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - d:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: NBService - Nero AG - D:\Arquivos de programas\Nero\Nero 7\Nero Home\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: ServiceLayer - Nokia. - F:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Apache Tomcat (Tomcat6) - Apache Software Foundation - d:\Arquivos de programas\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe

 

--

End of file - 12555 bytes

[DigRam 144]

Bom Dia! Tiago Miranda

 

>@< Faça o download do SDFix.

>@< Salve-o no Disco Local-C e,descompacte-o aì mesmo.

>@< Reinicie o computador em Modo de Segurança.

>@< Dê um duplo clique em: < runThis.bat >

>@< Aperte o Y.

>@< Aguarde a conclusão!

>@< Terminando,aperte Enter.( ...ou,qualquer tecla!)

>@< O computador será reiniciado!

>@< Aguarde,ainda,a conclusão da limpeza.

------------------------------

>@< Poste o relatório:Report.txt,na sua resposta + HJT,atualizado.

 

Abraços!

[Tiago Miranda 0]

Segue os Logs pedidos após scaneameno:

 

SDFIX:

 

 

SDFix: Version 1.191

Run by Administrador on --- 13/06/2008 at 19:32

 

Microsoft Windows XP [versÆo 5.1.2600]

Running From: F:\SDFix

 

Checking Services :

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

Rebooting

 

 

Checking Files :

 

No Trojan Files Found

 

 

 

 

 

 

Removing Temp Files

 

ADS Check :

 

 

 

Final Check :

 

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-13 19:36:40

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden services & system hive ...

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]

"s1"=dword:2df9c43f

"s2"=dword:110480d0

"h0"=dword:00000001

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="d:\Arquivos de programas\DAEMON Tools\"

"h0"=dword:00000000

"khjeh"=hex:00,78,b7,52,5a,0d,30,95,72,c7,82,e6,de,12,bd,1b,a4,a8,12,ff,cc,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,af,09,47,0d,d4,cd,77,50,c3,f1,cb,13,51,40,ce,34,31,..

"khjeh"=hex:d9,e1,4d,d9,0f,33,aa,58,43,24,70,77,dc,76,15,47,1b,44,25,f5,fa,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:31,2b,58,f0,74,cc,de,ba,95,2a,bb,7a,d3,73,a3,d1,eb,42,90,35,a8,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="d:\Arquivos de programas\DAEMON Tools\"

"h0"=dword:00000000

"khjeh"=hex:00,78,b7,52,5a,0d,30,95,72,c7,82,e6,de,12,bd,1b,a4,a8,12,ff,cc,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,af,09,47,0d,d4,cd,77,50,c3,f1,cb,13,51,40,ce,34,31,..

"khjeh"=hex:d9,e1,4d,d9,0f,33,aa,58,43,24,70,77,dc,76,15,47,1b,44,25,f5,fa,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:31,2b,58,f0,74,cc,de,ba,95,2a,bb,7a,d3,73,a3,d1,eb,42,90,35,a8,..

 

scanning hidden registry entries ...

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9787560E-51E5-FF6E-B86A-6AD98952F1D1}]

"jacfckagbflmdedoocog"=hex:62,61,67,64,00,00

"jacfckagbflmdedoockg"=hex:62,61,68,64,00,00

"iaceeehckeffilbdgl"=hex:6b,61,6a,63,6d,6c,66,63,68,6e,6b,6d,6a,70,6d,68,65,62,70,6a,70,..

"hamdkjmckiflgdib"=hex:6b,61,6a,63,6d,6c,66,63,68,6e,6b,6d,6a,70,6d,68,6e,61,6b,69,6d,..

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

Remaining Services :

 

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"D:\\Arquivos de programas\\Java\\jdk1.6.0_02\\jre\\bin\\javaw.exe"="D:\\Arquivos de programas\\Java\\jdk1.6.0_02\\jre\\bin\\javaw.exe:*:Enabled:Java Platform SE binary"

"D:\\Sun\\SDK\\jdk\\bin\\java.exe"="D:\\Sun\\SDK\\jdk\\bin\\java.exe:*:Enabled:Java Platform SE binary"

"F:\\WINDOWS\\system32\\javaw.exe"="F:\\WINDOWS\\system32\\javaw.exe:*:Enabled:Java Platform SE binary"

"D:\\Arquivos de programas\\mIRC\\mirc.exe"="D:\\Arquivos de programas\\mIRC\\mirc.exe:*:Enabled:mIRC"

"D:\\Arquivos de programas\\Valve\\hl.exe"="D:\\Arquivos de programas\\Valve\\hl.exe:*:Enabled:Half-Life Launcher"

"D:\\FM 08\\Football_Manager_2008\\Football Manager 2008\\fm.exe"="D:\\FM 08\\Football_Manager_2008\\Football Manager 2008\\fm.exe:*:Enabled:Football Manager 2008"

"D:\\Arquivos de programas\\Java\\jre1.6.0_02\\bin\\java.exe"="D:\\Arquivos de programas\\Java\\jre1.6.0_02\\bin\\java.exe:*:Enabled:Java Platform SE binary"

"D:\\Arquivos de programas\\Java\\jdk1.6.0_02\\jre\\bin\\java.exe"="D:\\Arquivos de programas\\Java\\jdk1.6.0_02\\jre\\bin\\java.exe:*:Enabled:Java Platform SE binary"

"D:\\Arquivos de programas\\Java\\jre1.6.0_02\\bin\\javaw.exe"="D:\\Arquivos de programas\\Java\\jre1.6.0_02\\bin\\javaw.exe:*:Enabled:Java Platform SE binary"

"D:\\Arquivos de programas\\Valve\\hlds.exe"="D:\\Arquivos de programas\\Valve\\hlds.exe:*:Enabled:HLDS Launcher"

"F:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"="F:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

"F:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"="F:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Messenger (Phone)"

"F:\\Arquivos de programas\\Java\\jre1.6.0_05\\bin\\java.exe"="F:\\Arquivos de programas\\Java\\jre1.6.0_05\\bin\\java.exe:*:Enabled:Java Platform SE binary"

"D:\\Arquivos de programas\\Java\\jdk1.6.0_02\\bin\\java.exe"="D:\\Arquivos de programas\\Java\\jdk1.6.0_02\\bin\\java.exe:*:Enabled:Java Platform SE binary"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"F:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"="F:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

"F:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"="F:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Messenger (Phone)"

 

Remaining Files :

 

 

 

Files with Hidden Attributes :

 

Wed 13 Oct 2004 1,694,208 ..SH. --- F:\ARQUIV~1\MESSEN~1\MSMSGS.EXE

Fri 28 Jul 2006 2,045 ...H. --- F:\WINDOWS\SYSTEM32\WHLB32G.DLL

Fri 5 Oct 2007 4,348 ..SH. --- F:\DOCUME~1\ALLUSE~1\DRM\DRMV1.BAK

Tue 11 Dec 2007 164,864 ..SHR --- F:\DOCUME~1\LUANA\DESKTOP\FOTOME~1.EXE

Fri 21 Mar 2008 0 A.SH. --- F:\DOCUME~1\ALLUSE~1\DRM\CACHE\INDIV02.TMP

Sat 26 Jan 2008 0 A..H. --- F:\WINDOWS\SOFTWA~1\DOWNLOAD\958F61~1\BIT12.TMP

 

Finished!

 

 

HIJACKTHIS:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:40:57, on 13/6/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Boot mode: Normal

 

Running processes:

F:\WINDOWS\System32\smss.exe

F:\WINDOWS\system32\csrss.exe

F:\WINDOWS\system32\winlogon.exe

F:\WINDOWS\system32\services.exe

F:\WINDOWS\system32\lsass.exe

F:\WINDOWS\system32\svchost.exe

F:\WINDOWS\System32\svchost.exe

d:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

d:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

F:\WINDOWS\system32\spoolsv.exe

F:\WINDOWS\Explorer.EXE

F:\WINDOWS\system32\svchost.exe

d:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

d:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

F:\WINDOWS\system32\wscntfy.exe

F:\WINDOWS\system32\wuauclt.exe

D:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

F:\WINDOWS\system32\ctfmon.exe

F:\Hijack\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - F:\Arquivos de programas\Scpad\scpsssh2.dll

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - F:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - F:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [avast!] d:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://D:\ARQUIV~1\MICROS~1\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Arquivos de programas\Messenger\msmsgs.exe

O12 - Plugin for .spop: F:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {9EC30204-384D-11D3-9CA3-00A024F0AF03} (ValidaUsuario Class) - https://cpne.bradesco.com.br/certifexp.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - F:\Arquivos de programas\Scpad\scpLIB.dll

O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - F:\Arquivos de programas\Scpad\scpLIB.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - d:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - d:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - d:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: NBService - Nero AG - D:\Arquivos de programas\Nero\Nero 7\Nero Home\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: ServiceLayer - Nokia. - F:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Apache Tomcat (Tomcat6) - Apache Software Foundation - d:\Arquivos de programas\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe

 

--

End of file - 5437 bytes

[DigRam 144]

Bom Dia! Tiago Miranda

 

Antes de executar este procedimento,insira sua(s) unidade(s) removíveis,na entrada USB.

<!> Delete:

 

F:\ComboFix.txt << Log anterior do ComboFix.

----------------------------------

>@< Selecione e copie,todo o conteúdo que está na área do Quote,para o Bloco de Notas.

>@< Salve-o,no Desktop,com o nome: CFScript.txt

 

File::

F:\WINDOWS\ShellNew\sempalong.exe

C:\winhost.exe

G:\autorun.exe

G:\.\directx\dxsetup.exe

H:\Autorun.exe

I:\RunGame.exe

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bron-Spizaetus]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvGraphicsInterface]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{45868229-2cf8-11dd-a68e-001a4da48033}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4586822a-2cf8-11dd-a68e-001a4da48033}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e28594b-aef9-11dc-92ff-001a4da48033}]

>@< Arraste,com o Mouse,o CFScript.txt para o ícone do ComboFix.

>@< Veja a demonstração!

 

 

>@< Com esse procedimento,o ComboFix irá executar e,reiniciará o computador,automaticamente!

>@< Caso não reinicie,faça-o manualmente!

>@< Durante a execução,não utilize o teclado ou Mouse!

>@< Terminando,poste o relatório F:\ComboFix.txt + HJT,atualizado.

 

Abraços!

[Tiago Miranda 0]

COMBOFIX:

 

ComboFix 08-06-10.5 - Tiago 2008-06-14 10:06:05.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.682 [GMT -3:00]

Executando de: F:\Documents and Settings\Tiago\Desktop\ComboFix.exe

Command switches used :: F:\Documents and Settings\Tiago\Desktop\CFScript.txt.txt

* Criado um novo ponto de restauro

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

FILE ::

C:\winhost.exe

F:\WINDOWS\ShellNew\sempalong.exe

G:\.\directx\dxsetup.exe

G:\autorun.exe

H:\Autorun.exe

I:\RunGame.exe

.

 

((((((((((((((((((((((( Ficheiros criados de 2008-05-14 to 2008-06-14 ))))))))))))))))))))))))))))))))

.

 

2008-06-13 19:29 . 2008-06-13 19:29 <DIR> d-------- F:\WINDOWS\ERUNT

2008-06-13 19:28 . 2008-06-13 19:28 <DIR> d-------- F:\Documents and Settings\Administrador

2008-06-13 07:54 . 2008-06-13 19:38 <DIR> d-------- F:\SDFix

2008-06-13 07:54 . 2008-06-13 07:47 1,437,605 --a------ F:\SDFix.exe

2008-06-10 22:48 . 2008-06-13 19:40 <DIR> d-------- F:\Hijack

2008-05-31 19:15 . 2008-05-31 19:15 <DIR> d--h----- F:\WINDOWS\PIF

2008-05-26 21:05 . 2008-05-26 21:05 <DIR> d-------- F:\Documents and Settings\All Users\Dados de aplicativos\Kaspersky Lab Setup Files

2008-05-26 19:45 . 2008-05-26 19:45 <DIR> d-------- F:\Documents and Settings\Tiago\.netbeans-registration

2008-05-21 13:56 . 2008-05-21 13:56 <DIR> d-------- F:\Arquivos de programas\GPLGS

2008-05-21 13:52 . 2008-05-21 13:52 <DIR> d-------- F:\Arquivos de programas\Acro Software

2008-05-21 13:52 . 2007-07-12 22:33 87,552 --a------ F:\WINDOWS\system32\cpwmon2k.dll

2008-05-15 18:06 . 2008-05-18 13:55 <DIR> d-------- F:\Documents and Settings\Luana\Dados de aplicativos\Ahead

2008-05-14 19:50 . 2008-05-29 20:06 151 --a------ F:\WINDOWS\PhotoSnapViewer.INI

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-13 19:15 --------- d-----w F:\Documents and Settings\Valdir\Dados de aplicativos\MEGAUPLOADTOOLBAR

2008-06-12 21:48 --------- d-----w F:\Documents and Settings\Luana\Dados de aplicativos\MegauploadToolbar

2008-06-11 22:31 --------- d-----w F:\Documents and Settings\Luana\Dados de aplicativos\Winamp

2008-06-11 01:57 --------- d-----w F:\Documents and Settings\All Users\Dados de aplicativos\Kaspersky Lab

2008-06-11 00:05 --------- d--h--w F:\Arquivos de programas\InstallShield Installation Information

2008-06-11 00:01 --------- d-----w F:\Documents and Settings\All Users\Dados de aplicativos\BVRP Software

2008-06-10 23:26 --------- d-----w F:\Documents and Settings\Tiago\Dados de aplicativos\MegauploadToolbar

2008-06-10 22:01 --------- d-----w F:\Documents and Settings\Luana\Dados de aplicativos\LimeWire

2008-05-22 17:11 --------- d-----w F:\Documents and Settings\Cátia\Dados de aplicativos\MEGAUPLOADTOOLBAR

2008-05-11 22:31 --------- d-----w F:\Documents and Settings\All Users\Dados de aplicativos\Zylom

2008-05-10 15:28 --------- d-----w F:\Documents and Settings\Tiago\Dados de aplicativos\Ahead

2008-05-10 15:27 --------- d-----w F:\Arquivos de programas\Arquivos comuns\Ahead

2008-05-10 15:25 --------- d-----w F:\Documents and Settings\All Users\Dados de aplicativos\Nero

2008-05-10 14:37 --------- d---a-w F:\Documents and Settings\All Users\Dados de aplicativos\TEMP

2008-05-10 02:47 --------- d-----w F:\Documents and Settings\Cátia\Dados de aplicativos\Dev-Cpp

2008-05-07 20:17 --------- d-----w F:\Documents and Settings\Luana\Dados de aplicativos\FrostWire

2008-05-04 14:54 --------- d-----w F:\Documents and Settings\Cátia\Dados de aplicativos\Media Player Classic

2008-05-04 14:54 --------- d-----w F:\Documents and Settings\Cátia\Dados de aplicativos\DivX

2008-05-01 01:12 --------- d-----w F:\Documents and Settings\Valdir\Dados de aplicativos\CyberLink

2008-04-27 21:04 --------- d-----w F:\Documents and Settings\Cátia\Dados de aplicativos\Winamp

2008-04-20 23:58 --------- d-----w F:\Arquivos de programas\Messenger Plus! Live

2008-01-07 17:41 66,896 -c--a-w F:\Documents and Settings\Tiago\Dados de aplicativos\GDIPFONTCACHEV1.DAT

2007-10-18 23:29 8 -c--a-w F:\Documents and Settings\All Users\Dados de aplicativos\SDGLYBMPWPP.SYS

2007-08-31 00:00 66,896 -c--a-w F:\Documents and Settings\Luana\Dados de aplicativos\GDIPFONTCACHEV1.DAT

2004-10-01 18:00 40,960 ----a-w F:\Arquivos de programas\Uninstall_CDS.exe

.

 

((((((((((((((((((((((((((((( snapshot@2008-06-11_21.54.04,73 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-06-12 00:36:55 2,048 --s-a-w F:\WINDOWS\bootstat.dat

+ 2008-06-14 12:54:09 2,048 --s-a-w F:\WINDOWS\bootstat.dat

+ 2008-06-11 05:07:53 163,328 ----a-w F:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE

+ 2008-06-13 22:29:35 376,832 ----a-w F:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT

+ 2008-06-13 22:29:35 8,192 ----a-w F:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat

+ 2008-06-11 05:07:53 163,328 ----a-w F:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE

+ 2008-06-13 22:29:24 376,832 ----a-w F:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT

+ 2008-06-13 22:29:24 8,192 ----a-w F:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat

+ 2008-06-14 12:54:16 16,384 ----atw F:\WINDOWS\Temp\Perflib_Perfdata_5f4.dat

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="d:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 20:19 79224]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="F:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:45 15360]

"Nokia.PCSync"="D:\Arquivos de programas\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{A3717295-941D-416F-9384-ED1736729F1C}"= F:\Arquivos de programas\Scpad\scpLIB.dll [2007-03-27 01:29 128512]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"CompIBBrd"= {A3717295-941D-416F-9384-ED1736729F1C} - F:\Arquivos de programas\Scpad\scpLIB.dll [2007-03-27 01:29 128512]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.YV12"= yv12vfw.dll

"msacm.ac3filter"= ac3filter.acm

 

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Microsoft Office.lnk]

path=F:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Microsoft Office.lnk

backup=F:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2004-08-04 00:45 15360 F:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2006-01-12 15:40 155648 F:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

--------- 2004-11-02 20:24 32768 D:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2008-02-22 04:25 144784 F:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]

-ra------ 2006-08-03 03:53 53248 F:\WINDOWS\system32\VTTimer.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"D:\\Arquivos de programas\\Java\\jdk1.6.0_02\\jre\\bin\\javaw.exe"=

"D:\\Sun\\SDK\\jdk\\bin\\java.exe"=

"F:\\WINDOWS\\system32\\javaw.exe"=

"D:\\Arquivos de programas\\mIRC\\mirc.exe"=

"D:\\Arquivos de programas\\Valve\\hl.exe"=

"D:\\FM 08\\Football_Manager_2008\\Football Manager 2008\\fm.exe"=

"D:\\Arquivos de programas\\Java\\jre1.6.0_02\\bin\\java.exe"=

"D:\\Arquivos de programas\\Java\\jdk1.6.0_02\\jre\\bin\\java.exe"=

"D:\\Arquivos de programas\\Java\\jre1.6.0_02\\bin\\javaw.exe"=

"D:\\Arquivos de programas\\Valve\\hlds.exe"=

"F:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"F:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"F:\\Arquivos de programas\\Java\\jre1.6.0_05\\bin\\java.exe"=

"D:\\Arquivos de programas\\Java\\jdk1.6.0_02\\bin\\java.exe"=

 

R1 aswSP;avast! Self Protection;F:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 20:20]

R2 aswFsBlk;aswFsBlk;F:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 20:16]

S3 Tomcat6;Apache Tomcat;"d:\Arquivos de programas\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe" //RS//Tomcat6 []

S3 usb2vcom;USB to Serial Bridge Controller;F:\WINDOWS\system32\Drivers\usb2vcom.sys [2006-07-16 22:53]

S3 w200bus;Sony Ericsson W200 driver (WDM);F:\WINDOWS\system32\DRIVERS\w200bus.sys [2006-11-07 09:42]

S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;F:\WINDOWS\system32\DRIVERS\w200mdfl.sys [2006-11-07 09:42]

S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;F:\WINDOWS\system32\DRIVERS\w200mdm.sys [2006-11-07 09:42]

S3 Z550bus;Sony Ericsson Z550 driver (WDM);F:\WINDOWS\system32\DRIVERS\Z550bus.sys [2006-03-13 16:37]

S3 Z550mdfl;Sony Ericsson Z550 USB WMC Modem Filter;F:\WINDOWS\system32\DRIVERS\Z550mdfl.sys [2006-03-13 16:37]

S3 Z550mdm;Sony Ericsson Z550 USB WMC Modem Driver;F:\WINDOWS\system32\DRIVERS\Z550mdm.sys [2006-03-13 16:37]

S3 Z550mgmt;Sony Ericsson Z550 USB WMC Device Management Drivers (WDM);F:\WINDOWS\system32\DRIVERS\Z550mgmt.sys [2006-03-13 16:37]

S3 Z550obex;Sony Ericsson Z550 USB WMC OBEX Interface;F:\WINDOWS\system32\DRIVERS\Z550obex.sys [2006-03-13 16:37]

 

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-14 10:07:23

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

Tempo para conclusão: 2008-06-14 10:08:15

ComboFix-quarantined-files.txt 2008-06-14 13:08:10

ComboFix2.txt 2008-06-12 00:54:17

 

Pre-Run: 1,433,255,936 bytes disponíveis

Post-Run: 1,429,094,400 bytes disponíveis

 

149 --- E O F --- 2008-04-12 15:48:05

 

HJT:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:13:33, on 14/6/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Boot mode: Normal

 

Running processes:

F:\WINDOWS\System32\smss.exe

F:\WINDOWS\system32\csrss.exe

F:\WINDOWS\system32\winlogon.exe

F:\WINDOWS\system32\services.exe

F:\WINDOWS\system32\lsass.exe

F:\WINDOWS\system32\svchost.exe

F:\WINDOWS\System32\svchost.exe

d:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

d:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

F:\WINDOWS\system32\spoolsv.exe

F:\WINDOWS\Explorer.EXE

D:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

F:\WINDOWS\system32\ctfmon.exe

F:\WINDOWS\system32\svchost.exe

d:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

d:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

F:\WINDOWS\system32\wscntfy.exe

F:\WINDOWS\system32\wuauclt.exe

F:\Hijack\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - F:\Arquivos de programas\Scpad\scpsssh2.dll

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - F:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - F:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [avast!] d:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://D:\ARQUIV~1\MICROS~1\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Arquivos de programas\Messenger\msmsgs.exe

O12 - Plugin for .spop: F:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {9EC30204-384D-11D3-9CA3-00A024F0AF03} (ValidaUsuario Class) - https://cpne.bradesco.com.br/certifexp.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - F:\Arquivos de programas\Scpad\scpLIB.dll

O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - F:\Arquivos de programas\Scpad\scpLIB.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - d:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - d:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - d:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: NBService - Nero AG - D:\Arquivos de programas\Nero\Nero 7\Nero Home\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: ServiceLayer - Nokia. - F:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Apache Tomcat (Tomcat6) - Apache Software Foundation - d:\Arquivos de programas\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe

 

--

End of file - 5437 bytes

[DigRam 144]

Bom Dia! Tiago Miranda

 

<@> Aparentemente,tudo Ok com os logs.

--------------------------

>@< Faça um escaneamento de desinfecção em < BitDefender > e poste o relatório.

>@< Abrirá a página: < BitDefender OnLine Scanner >

 

>@< Clique em: < >

 

>@< Aguarde!Permita a instalação do ActiveX,para que possa ocorrer o scan.

 

<!> Leia o Tutorial: < Link >

 

>@< Poste,então: Relatório do BitDefender

>@< Ps: O relatório do BitDefender,estará em: F:\Windows\BDOSCAN8\bdoscan.log

 

Abraços!

[Tiago Miranda 0]

Está tudo Ok agora!!!

Obrigado.

[Mário Monteiro 179]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto é necessário enviar uma Mensagem Privada para um Moderador com um link para o tópico.