[Resolvido!] Spyware/Virtumonde e Vundo

[pteixeira 0]

Caros Amigos do Imasters, estou a recovervos em última estancia devido ao Spyware/Virtumonde e ao Vundo, já tentei utilizar uma série de técnicas discutidas neste forúm mas sem sucesso,

 

Anexo LOG do Panda Active Scan e do Hijack 2

 

Log do Panda Active Scan

;*******************************************************************************

*********************************************************************************

*******************

ANALYSIS: 2008-07-02 04:15:01

PROTECTIONS: 0

MALWARE: 10

SUSPECTS: 1

;*******************************************************************************

*********************************************************************************

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

=================================================================================

===================

;===============================================================================

=================================================================================

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

=================================================================================

===================

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\pedro\Cookies\pedro@doubleclick[1].txt

00160284 Cookie/Findwhat TrackingCookie No 0 Yes No C:\Documents and Settings\pedro\Cookies\pedro@findwhat[1].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\pedro\Cookies\pedro@ad.yieldmanager[1].txt

00168106 Cookie/Weborama TrackingCookie No 0 Yes No C:\Documents and Settings\Catarina\Application Data\Mozilla\Firefox\Profiles\ezniyhl7.default\cookies.txt[.weborama.fr/]

00168106 Cookie/Weborama TrackingCookie No 0 Yes No C:\Documents and Settings\Catarina\Application Data\Mozilla\Firefox\Profiles\ezniyhl7.default\cookies.txt[.weborama.fr/]

00170559 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\pedro\Cookies\pedro@uol.com[1].txt

03117353 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{087DC17E-FF1E-41FB-8201-2D21C0A6CAC2}\RP141\A0039668.dll

03117353 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{087DC17E-FF1E-41FB-8201-2D21C0A6CAC2}\RP138\A0038370.dll

03117353 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{087DC17E-FF1E-41FB-8201-2D21C0A6CAC2}\RP141\A0039674.dll

03117353 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{087DC17E-FF1E-41FB-8201-2D21C0A6CAC2}\RP141\A0039678.dll

03117353 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{087DC17E-FF1E-41FB-8201-2D21C0A6CAC2}\RP141\A0039673.dll

03117353 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{087DC17E-FF1E-41FB-8201-2D21C0A6CAC2}\RP141\A0039672.dll

03117353 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{087DC17E-FF1E-41FB-8201-2D21C0A6CAC2}\RP141\A0039671.dll

03162636 Spyware/Virtumonde Spyware Yes 2 Yes No C:\WINDOWS\SYSTEM32\JHYXYKQK.DLL

03162759 Spyware/Vundo Spyware No 0 Yes No C:\System Volume Information\_restore{087DC17E-FF1E-41FB-8201-2D21C0A6CAC2}\RP141\A0039669.dll

03162759 Spyware/Vundo Spyware No 0 Yes No C:\System Volume Information\_restore{087DC17E-FF1E-41FB-8201-2D21C0A6CAC2}\RP141\A0039675.dll

03162761 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{087DC17E-FF1E-41FB-8201-2D21C0A6CAC2}\RP141\A0039670.dll

03162762 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{087DC17E-FF1E-41FB-8201-2D21C0A6CAC2}\RP138\A0039511.dll

;===============================================================================

=================================================================================

===================

SUSPECTS

Sent Location

;===============================================================================

=================================================================================

===================

No C:\WINDOWS\SYSTEM32\ZARKXT.DLL

;===============================================================================

=================================================================================

===================

VULNERABILITIES

Id Severity Description

;===============================================================================

=================================================================================

===================

133387 MEDIUM MS06-065

;===============================================================================

=================================================================================

===================

 

 

 

Log do Hijack

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:38:59, on 02-07-2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\S24EvMon.exe

C:\WINDOWS\system32\ACS.exe

C:\Programas\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\1XConfig.exe

C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Programas\TOSHIBA\PadTouch\PadExe.exe

C:\Programas\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Programas\TOSHIBA\Power Management\CePMTray.exe

C:\Programas\TOSHIBA\E-KEY\CeEKey.exe

C:\Programas\EzButton\EzButton.EXE

C:\Programas\TOSHIBA\TouchPad\TPTray.exe

C:\WINDOWS\System32\ZoomingHook.exe

C:\Programas\TOSHIBA\Utilitário de Zooming da TOSHIBA\SmoothView.exe

C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Programas\Java\jre1.6.0_05\bin\jusched.exe

C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Programas\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe

C:\Programas\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe

C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe

C:\Programas\Apache Software Foundation\Apache2.2\bin\httpd.exe

C:\Programas\Bonjour\mDNSResponder.exe

C:\Programas\TOSHIBA\Power Management\CeEPwrSvc.exe

C:\Programas\Apache Software Foundation\Apache2.2\mysql\bin\mysqld.exe

C:\WINDOWS\system32\RegSrvc.exe

C:\Programas\Apache Software Foundation\Apache2.2\bin\httpd.exe

C:\Programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\Programas\Ficheiros comuns\PCSuite\Services\ServiceLayer.exe

C:\Programas\Internet Explorer\iexplore.exe

C:\Programas\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/ig?hl=pt-PT&source=iglk

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações

O2 - BHO: {d3294194-a539-a60a-b664-022c2f78fd01} - {10df87f2-c220-466b-a06a-935a4914923d} - C:\WINDOWS\system32\zarkxt.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programas\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [PadTouch] "C:\Programas\TOSHIBA\PadTouch\PadExe.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Programas\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [CeEPOWER] C:\Programas\TOSHIBA\Power Management\CePMTray.exe

O4 - HKLM\..\Run: [CeEKEY] C:\Programas\TOSHIBA\E-KEY\CeEKey.exe

O4 - HKLM\..\Run: [EzButton] C:\Programas\EzButton\EzButton.EXE

O4 - HKLM\..\Run: [TPNF] C:\Programas\TOSHIBA\TouchPad\TPTray.exe

O4 - HKLM\..\Run: [ZoomingHook] c:\WINDOWS\System32\ZoomingHook.exe

O4 - HKLM\..\Run: [smoothView] C:\Programas\TOSHIBA\Utilitário de Zooming da TOSHIBA\SmoothView.exe

O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\FICHEI~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [bM9f3b5939] Rundll32.exe "C:\WINDOWS\system32\jhyxykqk.dll",s

O4 - HKCU\..\Run: [TOSCDSPD] C:\Programas\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Programas\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

O4 - Startup: Adobe Gamma.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: ApacheMonitor.lnk = C:\Programas\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O8 - Extra context menu item: Converter destino de link em Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Converter destino de link em PDF existente - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Converter em Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Converter em PDF existente - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Converter links selecionados em Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Converter links selecionados em PDF existente - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Converter seleção em Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Converter seleção em PDF existente - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O20 - Winlogon Notify: jkkLdbca - jkkLdbca.dll (file missing)

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programas\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Programas\Ficheiros comuns\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe

O23 - Service: Apache2.2 - Apache Software Foundation - C:\Programas\Apache Software Foundation\Apache2.2\bin\httpd.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programas\Bonjour\mDNSResponder.exe

O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Programas\TOSHIBA\Power Management\CeEPwrSvc.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Gerenciador do Google Desktop 5.7.805.16405 (GoogleDesktopManager-051608-133132) - Google - C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programas\Ficheiros comuns\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: MySQL - Unknown owner - C:\Programas\Apache.exe (file missing)

O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

O23 - Service: ServiceLayer - Nokia. - C:\Programas\Ficheiros comuns\PCSuite\Services\ServiceLayer.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

 

--

End of file - 9761 bytes

[Mário Monteiro 179]

O membro foi suspenso por 3 dias por floodar o forum postando dezenas de posts iguais a este

 

A duvida dele segue e apos este periodo poderá acessar o forum provavelmente ja com alguma resposta util a seu problema

[jgarcia 1]

Opa pteixeira,

 

Baixe o ComboFix em:

ComboFix

 

1) Desabilite o seu anti-vírus temporariamente;

2) Dê um duplo-clique no combofix.exe e tecle "1" para prosseguir. O processo vai durar, em média, 10 minutos;

3) O ComboFix reiniciará o PC automaticamente, a fim de que o processo de remoção seja finalizado (somente se houver infecção);

4) Quando a varredura acabar, será gerado um log, que estará em C:\ComboFix.txt;

5) Não clique na janela do ComboFix, nem feche clicando no X, enquanto a ferramenta estiver sendo executada, pois isto implicará na desconfiguração de seu desktop (ele ficará todo branco);

6) Para parar ou sair do ComboFix, tecle "N";

7) Reabilite o seu anti-vírus;

8) Preciso que você cole o conteúdo do ComboFix.txt em sua próxima resposta, juntamente com um log do Hijackthis.

 

Abraços.

[pteixeira 0]

Olá JGARCIA, infelizmente só pude responder ao POST passado 5 dias isto pq infelizmente Mário Monteiro suspendeu-me a sessão.

 

Provavelmente foi uma atitude infeliz para quem se diz Moderador deste fantástico Forúm, tudo isto pq argumentou que coloquei imensos POSTS repetidos, para que se saiba este FORUM é sobre SEGURANÇA&MALWARES programinhas que deixam os nossos computadores "estranhos" e a fazer coisas que ñ controlamos, dai que o ocorrido não foi deliberado, mas sim acidental devido aos Virus e Spywares que tinha na minha máquina.

 

DESDE JÁ EXIJO UM PEDIDO DE DESCULPAS, desse Sr. Mário Monteiro.

[pteixeira 0]

Agora nós caro amigo JGARCIA, corri o COMBOFIX como indicado e estou a POSTAR os LOGS do COMBOFIX e HIJACK.

 

Obrigado

 

ComboFix 08-07-02.5 - pedro 2008-07-03 23:50:50.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.2070.18.180 [GMT 1:00]

Executando de: C:\Documents and Settings\pedro\Ambiente de trabalho\ComboFix.exe

* Criado um novo ponto de restauro

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Recycled\Recycled

C:\WINDOWS\BM9f3b5939.txt

C:\WINDOWS\cookies.ini

C:\WINDOWS\pskt.ini

C:\WINDOWS\system32\aIPsBcfe.ini

C:\WINDOWS\system32\aIPsBcfe.ini2

C:\WINDOWS\system32\dywfdmxe.ini

C:\WINDOWS\system32\jhyxykqk.dll

C:\WINDOWS\system32\kikrrekk.dll

C:\WINDOWS\system32\mcrh.tmp

C:\WINDOWS\system32\qguqiuwq.ini

C:\WINDOWS\system32\vplaefgc.ini

C:\WINDOWS\system32\zarkxt.dll

 

.

((((((((((((((((((((((( Ficheiros criados de 2008-06-03 to 2008-07-03 ))))))))))))))))))))))))))))))))

.

 

2008-07-03 00:23 . 2008-07-03 00:24 <DIR> d-------- C:\Programas\SpywareBlaster

2008-07-01 23:14 . 2008-07-01 23:15 <DIR> d-------- C:\Programas\Panda Security

2008-07-01 21:28 . 2008-07-01 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-07-01 00:12 . 2008-07-01 21:37 <DIR> d-------- C:\Programas\a-squared Free

2008-07-01 00:11 . 2008-07-01 00:11 <DIR> d-------- C:\Programas\Trend Micro

2008-06-30 01:03 . 2008-06-30 01:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-06-30 00:52 . 2008-06-30 00:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8

2008-06-28 22:35 . 2008-07-03 00:40 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2008-06-28 22:00 . 2008-06-28 22:00 0 --a------ C:\WINDOWS\TPTray.INI

2008-06-28 18:31 . 2008-06-28 18:31 0 --a------ C:\WINDOWS\CePMTray.INI

2008-06-28 16:52 . 2008-06-28 16:52 <DIR> d-------- C:\WINDOWS\system32\HouseCall 6.6

2008-06-28 16:52 . 2008-06-28 16:52 <DIR> d-------- C:\Documents and Settings\pedro\Application Data\HouseCall 6.6

2008-06-28 13:37 . 2008-07-03 23:48 110,437 --a------ C:\WINDOWS\BM9f3b5939.xml

2008-06-15 15:53 . 2008-06-15 15:53 <DIR> d-------- C:\Programas\Easy GIF Animator

2008-06-11 22:13 . 2008-06-14 18:59 272,640 --------- C:\WINDOWS\system32\drivers\bthport.sys

2008-06-11 22:13 . 2008-06-14 18:59 272,640 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

2008-06-04 22:36 . 2008-06-04 22:36 <DIR> d-------- C:\Programas\Google

 

.

((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-26 12:18 13,646 ----a-w C:\WINDOWS\E220AutoRunLog.tmp

2008-06-25 15:26 --------- d--h--w C:\Programas\InstallShield Installation Information

2008-06-23 18:29 --------- d-----w C:\Documents and Settings\pedro\Application Data\FileZilla

2008-06-11 21:30 --------- d-----w C:\Documents and Settings\pedro\Application Data\MySQL

2008-05-31 11:42 --------- d-----w C:\Documents and Settings\Marta\Application Data\PC Suite

2008-05-30 21:38 --------- d-----w C:\Documents and Settings\pedro\Application Data\AdobeUM

2008-05-29 21:42 --------- d-----w C:\Programas\Ficheiros comuns\Adobe

2008-05-27 21:53 --------- dcsh--w C:\Programas\Ficheiros comuns\WindowsLiveInstaller

2008-05-27 21:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller

2008-05-27 21:44 --------- d-----w C:\Programas\Windows Live

2008-05-24 22:04 --------- d-----w C:\Programas\McDonaldsFairies

2008-05-24 21:47 --------- d-----w C:\Documents and Settings\Catarina\Application Data\PC Suite

2008-05-10 09:13 --------- d-----w C:\Documents and Settings\pedro\Application Data\Winamp

2008-05-10 09:00 --------- d-----w C:\Programas\Winamp

2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys

.

 

------- Sigcheck -------

 

2007-12-05 01:06 505344 410f13a4657b9c1f096b474e4031c293 C:\WINDOWS\system32\winlogon.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="C:\Programas\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-16 09:49 65536]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

"AlcoholAutomount"="C:\Programas\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 17:46 217544]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 22:10 339968]

"PadTouch"="C:\Programas\TOSHIBA\PadTouch\PadExe.exe" [2004-02-12 13:04 1019904]

"PRONoMgr.exe"="C:\Programas\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 03:36 86016]

"CeEPOWER"="C:\Programas\TOSHIBA\Power Management\CePMTray.exe" [2004-08-18 11:21 135168]

"CeEKEY"="C:\Programas\TOSHIBA\E-KEY\CeEKey.exe" [2004-08-06 16:14 643072]

"EzButton"="C:\Programas\EzButton\EzButton.EXE" [2004-07-07 15:25 712704]

"TPNF"="C:\Programas\TOSHIBA\TouchPad\TPTray.exe" [2004-07-28 17:23 53248]

"ZoomingHook"="c:\WINDOWS\System32\ZoomingHook.exe" [2004-07-14 17:07 24576]

"Adobe_ID0EYTHM"="C:\PROGRA~1\FICHEI~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 17:40 1884160]

"Acrobat Assistant 7.0"="C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]

"SunJavaUpdateSched"="C:\Programas\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2006-06-15 13:36 229376]

"Google Desktop Search"="C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-04 22:36 29744]

"AGRSMMSG"="AGRSMMSG.exe" [2004-02-21 04:00 88363 C:\WINDOWS\agrsmmsg.exe]

 

C:\Documents and Settings\Catarina\Menu Iniciar\Programas\Arranque\

Fairies.lnk - C:\Programas\McDonaldsFairies\McDonaldsFairies.exe [2008-05-24 23:03:27 2361239]

 

C:\Documents and Settings\pedro\Menu Iniciar\Programas\Arranque\

Adobe Gamma.lnk - C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 21:16:50 113664]

ApacheMonitor.lnk - C:\Programas\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2007-09-05 10:00:34 41041]

 

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\

Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1034-4700-7760-000000000002}\SC_Acrobat.exe [2007-12-05 00:27:39 25214]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

2003-12-16 09:32 110592 C:\WINDOWS\system32\LgNotify.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-10-13 17:24 1694208 C:\Programas\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\WINDOWS\\system32\\fxsclnt.exe"=

"C:\\Programas\\Messenger\\msmsgs.exe"=

"C:\\Programas\\Internet Explorer\\iexplore.exe"=

 

R2 Apache2.2;Apache2.2;"C:\Programas\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice []

S3 GoogleDesktopManager-051608-133132;Gerenciador do Google Desktop 5.7.805.16405;"C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-04 22:36]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1017ffce-a67b-11dc-aaeb-000e35768441}]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tmn.msi AUTORUN=1

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b133400c-a500-11dc-aaea-000e35768441}]

\Shell\AutoRun\command - E:\LaunchU3.exe -a

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C2-99CB-11CF-AYX5-00401C648513}]

C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhi64.exe

.

- - - - ORPHANS REMOVED - - - -

 

HKLM-Run-SmoothView - C:\Programas\TOSHIBA\Utilitário de Zooming da TOSHIBA\SmoothView.exe

HKLM-Run-BM9f3b5939 - C:\WINDOWS\system32\jhyxykqk.dll

ShellExecuteHooks-{BE7E4CE1-8CBA-44A6-956F-462A667D3286} - (no file)

Notify-jkkLdbca - jkkLdbca.dll

 

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-04 00:00:35

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializ veis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]

"ImagePath"="\"C:\Programas\Apache Software Foundation\Apache2.2\mysql\bin\mysqld\" --defaults-file=\"C:\Programas\Apache Software Foundation\Apache2.2\mysql\my.ini\" \"MySQL\""

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\ati2evxx.exe

C:\WINDOWS\system32\S24EvMon.exe

C:\WINDOWS\system32\acs.exe

C:\Programas\Bonjour\mDNSResponder.exe

C:\Programas\TOSHIBA\Power Management\CeEPwrSvc.exe

C:\Programas\Apache Software Foundation\Apache2.2\mysql\bin\mysqld.exe

C:\WINDOWS\system32\RegSrvc.exe

C:\Programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\system32\1XConfig.exe

C:\Programas\Ficheiros comuns\PCSuite\Services\ServiceLayer.exe

.

**************************************************************************

.

Tempo para conclusÆo: 2008-07-04 0:06:47 - machine was rebooted

ComboFix-quarantined-files.txt 2008-07-03 23:06:12

 

Pre-Run: 17,212,694,528 bytes livres

Post-Run: 17,566,707,712 bytes livres

 

154 --- E O F --- 2008-06-26 12:17:10

 

HIJACK

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:12:24, on 06-07-2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\S24EvMon.exe

C:\WINDOWS\system32\ACS.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\1XConfig.exe

C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Programas\TOSHIBA\PadTouch\PadExe.exe

C:\Programas\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Programas\TOSHIBA\Power Management\CePMTray.exe

C:\Programas\TOSHIBA\E-KEY\CeEKey.exe

C:\Programas\EzButton\EzButton.EXE

C:\Programas\TOSHIBA\TouchPad\TPTray.exe

C:\WINDOWS\System32\ZoomingHook.exe

C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Programas\Java\jre1.6.0_05\bin\jusched.exe

C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe

C:\Programas\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe

C:\Programas\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe

C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe

C:\Programas\Apache Software Foundation\Apache2.2\bin\httpd.exe

C:\Programas\Bonjour\mDNSResponder.exe

C:\Programas\TOSHIBA\Power Management\CeEPwrSvc.exe

C:\Programas\Apache Software Foundation\Apache2.2\mysql\bin\mysqld.exe

C:\WINDOWS\system32\RegSrvc.exe

C:\Programas\Apache Software Foundation\Apache2.2\bin\httpd.exe

C:\Programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\Programas\Ficheiros comuns\PCSuite\Services\ServiceLayer.exe

C:\Programas\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Programas\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/ig?hl=pt-PT&source=iglk

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [PadTouch] "C:\Programas\TOSHIBA\PadTouch\PadExe.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Programas\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [CeEPOWER] C:\Programas\TOSHIBA\Power Management\CePMTray.exe

O4 - HKLM\..\Run: [CeEKEY] C:\Programas\TOSHIBA\E-KEY\CeEKey.exe

O4 - HKLM\..\Run: [EzButton] C:\Programas\EzButton\EzButton.EXE

O4 - HKLM\..\Run: [TPNF] C:\Programas\TOSHIBA\TouchPad\TPTray.exe

O4 - HKLM\..\Run: [ZoomingHook] c:\WINDOWS\System32\ZoomingHook.exe

O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\FICHEI~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [TOSCDSPD] C:\Programas\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Programas\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

O4 - Startup: Adobe Gamma.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: ApacheMonitor.lnk = C:\Programas\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O8 - Extra context menu item: Converter destino de link em Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Converter destino de link em PDF existente - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Converter em Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Converter em PDF existente - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Converter links selecionados em Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Converter links selecionados em PDF existente - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Converter seleção em Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Converter seleção em PDF existente - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Programas\Ficheiros comuns\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe

O23 - Service: Apache2.2 - Apache Software Foundation - C:\Programas\Apache Software Foundation\Apache2.2\bin\httpd.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programas\Bonjour\mDNSResponder.exe

O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Programas\TOSHIBA\Power Management\CeEPwrSvc.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Gerenciador do Google Desktop 5.7.805.16405 (GoogleDesktopManager-051608-133132) - Google - C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programas\Ficheiros comuns\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: MySQL - Unknown owner - C:\Programas\Apache.exe (file missing)

O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

O23 - Service: ServiceLayer - Nokia. - C:\Programas\Ficheiros comuns\PCSuite\Services\ServiceLayer.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

 

--

End of file - 9552 bytes

[jgarcia 1]

Opa pteixeira,

 

Vamos lá.

 

* Baixe o VundoFix.

 

* Dê duplo-clique sobre VundoFix.exe para iniciá-lo;

 

* Quando o VundoFix abrir clique em Scan for Vundo. Aguarde o término do scan que pode demorar algum tempo. Seja paciente;

 

* Terminado o scan clique em Remove Vundo;

 

* Você receberá um alerta perguntando se deseja remover os arquivos. Clique em YES. O seu desktop irá apagar (isto é normal);

 

* Para completar o scan será necessário reinicializar a máquina. Clique em OK;

 

* Favor postar o log do VundoFix (C:\vundofix.txt) em sua próxima resposta, juntamente com um novo do ComboFix.

 

Abraços.

[pteixeira 0]

Oi Jgarcia junto anexo o log do VUNDO/COMBOFIX e HIJACK

 

VUNDO

Não deteou nada, logo não criou LOG

 

COMBO

ComboFix 08-07-05.1 - pedro 2008-07-07 21:45:30.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.2070.18.180 [GMT 1:00]

Executando de: C:\Documents and Settings\pedro\Ambiente de trabalho\ComboFix.exe

* Criado um novo ponto de restauro

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\BM9f3b5939.xml

 

.

((((((((((((((((((((((( Ficheiros criados de 2008-06-07 to 2008-07-07 ))))))))))))))))))))))))))))))))

.

 

2008-07-07 21:28 . 2008-07-07 21:28 <DIR> d-------- C:\VundoFix Backups

2008-07-04 17:07 . 2008-07-04 17:07 <DIR> d-------- C:\Programas\TeamViewer3

2008-07-04 17:07 . 2008-07-04 17:07 <DIR> d-------- C:\Documents and Settings\pedro\temp

2008-07-04 17:07 . 2008-07-04 17:07 <DIR> d-------- C:\Documents and Settings\pedro\Application Data\TeamViewer

2008-07-04 00:21 . 2008-07-04 00:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer

2008-07-04 00:19 . 2008-07-04 00:19 <DIR> d-------- C:\Programas\Apple Software Update

2008-07-04 00:19 . 2008-07-04 00:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

2008-07-04 00:06 . 2008-07-04 00:06 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Definiþ§es locais

2008-07-04 00:06 . 2008-07-04 00:06 <DIR> d-------- C:\Documents and Settings\pedro\Definiþ§es locais

2008-07-04 00:06 . 2008-07-04 00:06 <DIR> d-------- C:\Documents and Settings\NetworkService\Definiþ§es locais

2008-07-04 00:06 . 2008-07-04 00:06 <DIR> d-------- C:\Documents and Settings\Marta\Definiþ§es locais

2008-07-04 00:06 . 2008-07-04 00:06 <DIR> d-------- C:\Documents and Settings\LocalService\Definiþ§es locais

2008-07-04 00:06 . 2008-07-04 00:06 <DIR> d-------- C:\Documents and Settings\Catarina\Definiþ§es locais

2008-07-03 00:23 . 2008-07-04 00:45 <DIR> d-------- C:\Programas\SpywareBlaster

2008-07-01 23:14 . 2008-07-01 23:15 <DIR> d-------- C:\Programas\Panda Security

2008-07-01 21:28 . 2008-07-01 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-07-01 00:12 . 2008-07-01 21:37 <DIR> d-------- C:\Programas\a-squared Free

2008-07-01 00:11 . 2008-07-01 00:11 <DIR> d-------- C:\Programas\Trend Micro

2008-06-30 01:03 . 2008-06-30 01:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-06-30 00:52 . 2008-06-30 00:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8

2008-06-28 22:35 . 2008-07-06 14:07 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2008-06-28 22:00 . 2008-06-28 22:00 0 --a------ C:\WINDOWS\TPTray.INI

2008-06-28 18:31 . 2008-06-28 18:31 0 --a------ C:\WINDOWS\CePMTray.INI

2008-06-28 16:52 . 2008-06-28 16:52 <DIR> d-------- C:\WINDOWS\system32\HouseCall 6.6

2008-06-28 16:52 . 2008-06-28 16:52 <DIR> d-------- C:\Documents and Settings\pedro\Application Data\HouseCall 6.6

2008-06-15 15:53 . 2008-06-15 15:53 <DIR> d-------- C:\Programas\Easy GIF Animator

2008-06-11 22:13 . 2008-06-14 18:59 272,640 --------- C:\WINDOWS\system32\drivers\bthport.sys

2008-06-11 22:13 . 2008-06-14 18:59 272,640 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-03 23:25 --------- d-----w C:\Programas\QuickTime

2008-06-26 12:18 13,646 ----a-w C:\WINDOWS\E220AutoRunLog.tmp

2008-06-25 15:26 --------- d--h--w C:\Programas\InstallShield Installation Information

2008-06-23 18:29 --------- d-----w C:\Documents and Settings\pedro\Application Data\FileZilla

2008-06-11 21:30 --------- d-----w C:\Documents and Settings\pedro\Application Data\MySQL

2008-06-04 21:36 --------- d-----w C:\Programas\Google

2008-05-31 11:42 --------- d-----w C:\Documents and Settings\Marta\Application Data\PC Suite

2008-05-30 21:38 --------- d-----w C:\Documents and Settings\pedro\Application Data\AdobeUM

2008-05-29 21:42 --------- d-----w C:\Programas\Ficheiros comuns\Adobe

2008-05-27 21:53 --------- dcsh--w C:\Programas\Ficheiros comuns\WindowsLiveInstaller

2008-05-27 21:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller

2008-05-27 21:44 --------- d-----w C:\Programas\Windows Live

2008-05-24 22:04 --------- d-----w C:\Programas\McDonaldsFairies

2008-05-24 21:47 --------- d-----w C:\Documents and Settings\Catarina\Application Data\PC Suite

2008-05-10 09:13 --------- d-----w C:\Documents and Settings\pedro\Application Data\Winamp

2008-05-10 09:00 --------- d-----w C:\Programas\Winamp

2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys

2008-05-07 05:15 1,294,336 ----a-w C:\WINDOWS\system32\quartz.dll

2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

.

 

------- Sigcheck -------

 

2007-12-05 01:06 505344 410f13a4657b9c1f096b474e4031c293 C:\WINDOWS\system32\winlogon.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="C:\Programas\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-16 09:49 65536]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

"AlcoholAutomount"="C:\Programas\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 17:46 217544]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 22:10 339968]

"PadTouch"="C:\Programas\TOSHIBA\PadTouch\PadExe.exe" [2004-02-12 13:04 1019904]

"PRONoMgr.exe"="C:\Programas\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 03:36 86016]

"CeEPOWER"="C:\Programas\TOSHIBA\Power Management\CePMTray.exe" [2004-08-18 11:21 135168]

"CeEKEY"="C:\Programas\TOSHIBA\E-KEY\CeEKey.exe" [2004-08-06 16:14 643072]

"EzButton"="C:\Programas\EzButton\EzButton.EXE" [2004-07-07 15:25 712704]

"TPNF"="C:\Programas\TOSHIBA\TouchPad\TPTray.exe" [2004-07-28 17:23 53248]

"ZoomingHook"="c:\WINDOWS\System32\ZoomingHook.exe" [2004-07-14 17:07 24576]

"Adobe_ID0EYTHM"="C:\PROGRA~1\FICHEI~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 17:40 1884160]

"Acrobat Assistant 7.0"="C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]

"SunJavaUpdateSched"="C:\Programas\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2006-06-15 13:36 229376]

"Google Desktop Search"="C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-04 22:36 29744]

"QuickTime Task"="C:\Programas\QuickTime\qttask.exe" [2008-05-27 10:50 413696]

"AGRSMMSG"="AGRSMMSG.exe" [2004-02-21 04:00 88363 C:\WINDOWS\agrsmmsg.exe]

 

C:\Documents and Settings\Catarina\Menu Iniciar\Programas\Arranque\

Fairies.lnk - C:\Programas\McDonaldsFairies\McDonaldsFairies.exe [2008-05-24 23:03:27 2361239]

 

C:\Documents and Settings\pedro\Menu Iniciar\Programas\Arranque\

Adobe Gamma.lnk - C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 21:16:50 113664]

ApacheMonitor.lnk - C:\Programas\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2007-09-05 10:00:34 41041]

 

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\

Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1034-4700-7760-000000000002}\SC_Acrobat.exe [2007-12-05 00:27:39 25214]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

2003-12-16 09:32 110592 C:\WINDOWS\system32\LgNotify.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-10-13 17:24 1694208 C:\Programas\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\WINDOWS\\system32\\fxsclnt.exe"=

"C:\\Programas\\Messenger\\msmsgs.exe"=

"C:\\Programas\\Internet Explorer\\iexplore.exe"=

"C:\\Programas\\TeamViewer3\\TeamViewer.exe"=

 

R2 Apache2.2;Apache2.2;C:\Programas\Apache Software Foundation\Apache2.2\bin\httpd.exe [2007-09-05 09:59]

S3 GoogleDesktopManager-051608-133132;Gerenciador do Google Desktop 5.7.805.16405;C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe [2008-06-04 22:36]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1017ffce-a67b-11dc-aaeb-000e35768441}]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tmn.msi AUTORUN=1

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b133400c-a500-11dc-aaea-000e35768441}]

\Shell\AutoRun\command - E:\LaunchU3.exe -a

 

*Newly Created Service* - CATCHME

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-07 21:50:10

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]

"ImagePath"="\"C:\Programas\Apache Software Foundation\Apache2.2\mysql\bin\mysqld\" --defaults-file=\"C:\Programas\Apache Software Foundation\Apache2.2\mysql\my.ini\" \"MySQL\""

.

Tempo para conclusão: 2008-07-07 21:54:23

ComboFix-quarantined-files.txt 2008-07-07 20:53:59

 

Pre-Run: 17,132,359,680 bytes livres

Post-Run: 17,319,522,304 bytes livres

 

137 --- E O F --- 2008-06-26 12:17:10

 

HIJACK

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:32:17, on 07-07-2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\S24EvMon.exe

C:\WINDOWS\system32\ACS.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programas\Apache Software Foundation\Apache2.2\bin\httpd.exe

C:\Programas\Bonjour\mDNSResponder.exe

C:\Programas\TOSHIBA\Power Management\CeEPwrSvc.exe

C:\Programas\Apache Software Foundation\Apache2.2\mysql\bin\mysqld.exe

C:\WINDOWS\system32\RegSrvc.exe

C:\Programas\Apache Software Foundation\Apache2.2\bin\httpd.exe

C:\Programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\system32\1XConfig.exe

C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Programas\TOSHIBA\PadTouch\PadExe.exe

C:\Programas\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Programas\TOSHIBA\Power Management\CePMTray.exe

C:\Programas\TOSHIBA\E-KEY\CeEKey.exe

C:\Programas\EzButton\EzButton.EXE

C:\Programas\TOSHIBA\TouchPad\TPTray.exe

C:\WINDOWS\System32\ZoomingHook.exe

C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Programas\Java\jre1.6.0_05\bin\jusched.exe

C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe

C:\Programas\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe

C:\Programas\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe

C:\Programas\Ficheiros comuns\PCSuite\Services\ServiceLayer.exe

C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe

C:\WINDOWS\explorer.exe

C:\Programas\Internet Explorer\iexplore.exe

C:\Programas\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/ig?hl=pt-PT&source=iglk

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [PadTouch] "C:\Programas\TOSHIBA\PadTouch\PadExe.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Programas\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [CeEPOWER] C:\Programas\TOSHIBA\Power Management\CePMTray.exe

O4 - HKLM\..\Run: [CeEKEY] C:\Programas\TOSHIBA\E-KEY\CeEKey.exe

O4 - HKLM\..\Run: [EzButton] C:\Programas\EzButton\EzButton.EXE

O4 - HKLM\..\Run: [TPNF] C:\Programas\TOSHIBA\TouchPad\TPTray.exe

O4 - HKLM\..\Run: [ZoomingHook] c:\WINDOWS\System32\ZoomingHook.exe

O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\FICHEI~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [TOSCDSPD] C:\Programas\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Programas\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

O4 - Startup: Adobe Gamma.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: ApacheMonitor.lnk = C:\Programas\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O8 - Extra context menu item: Converter destino de link em Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Converter destino de link em PDF existente - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Converter em Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Converter em PDF existente - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Converter links selecionados em Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Converter links selecionados em PDF existente - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Converter seleção em Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Converter seleção em PDF existente - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Programas\Ficheiros comuns\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe

O23 - Service: Apache2.2 - Apache Software Foundation - C:\Programas\Apache Software Foundation\Apache2.2\bin\httpd.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programas\Bonjour\mDNSResponder.exe

O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Programas\TOSHIBA\Power Management\CeEPwrSvc.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Gerenciador do Google Desktop 5.7.805.16405 (GoogleDesktopManager-051608-133132) - Google - C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programas\Ficheiros comuns\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: MySQL - Unknown owner - C:\Programas\Apache.exe (file missing)

O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

O23 - Service: ServiceLayer - Nokia. - C:\Programas\Ficheiros comuns\PCSuite\Services\ServiceLayer.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

 

--

End of file - 9519 bytes

 

Obrigado

[pteixeira 0]

VundoFix V7.0.6

 

Scan started at 21:28:00 07-07-2008

 

Listing files found while scanning....

 

No infected files were found.

[jgarcia 1]

Opa pteixeira,

 

Poste um novo log do ComboFix.

 

Abraços.

[pteixeira 0]

Viva Garcia, sinceramente lamento estar sempre a xatear com estes problemas de virus e virinhas e tretas e mais tretas que são estes malditos SPYWARES

 

Continuo com problemas vou postar o Log do Hijack como os problemas eram identicos com os anteriores corri (o combofix pelo que tb anexo LOG)

 

Log COMBOFIX

ComboFix 08-07-20.A0 - pedro 2008-07-22 11:17:29.7 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.2070.18.146 [GMT 1:00]

Executando de: C:\Documents and Settings\pedro\Ambiente de trabalho\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\system32\AHPWHkkj.ini

C:\WINDOWS\system32\AHPWHkkj.ini2

 

.

((((((((((((((((((((((( Ficheiros criados de 2008-06-22 to 2008-07-22 ))))))))))))))))))))))))))))))))

.

 

2008-07-22 10:11 . 2008-07-22 10:11 <DIR> d-------- C:\Programas\ESET

2008-07-22 00:46 . 2008-07-22 00:44 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

2008-07-22 00:44 . 2008-07-22 00:46 <DIR> d-------- C:\Documents and Settings\pedro\.housecall6.6

2008-07-21 22:26 . 2008-07-21 22:30 43,590 ---hs---- C:\WINDOWS\system32\rcslpcdf.ini

2008-07-21 20:26 . 2008-07-21 23:30 110,419 --a------ C:\WINDOWS\BM9f3b5939.xml

2008-07-21 20:23 . 2008-07-21 20:23 245,760 --a------ C:\WINDOWS\system32\jkkHWPHA.dll

2008-07-18 21:28 . 2008-07-21 20:28 <DIR> d-------- C:\Programas\Yahoo!

2008-07-18 21:28 . 2008-07-18 21:28 <DIR> d-------- C:\Programas\CCleaner

2008-07-18 00:47 . 2008-07-18 00:47 20,480 -r-hs---- C:\WINDOWS\isys32.exe

2008-07-17 23:29 . 2008-07-18 00:32 <DIR> d-------- C:\Programas\Ficheiros comuns\Macromedia

2008-07-08 22:56 . 2008-07-08 22:56 <DIR> d-------- C:\Programas\Astonsoft

2008-07-08 22:56 . 2008-07-08 23:04 <DIR> d-------- C:\Documents and Settings\pedro\Application Data\DeepBurner

2008-07-08 22:10 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys

2008-07-04 17:07 . 2008-07-04 17:07 <DIR> d-------- C:\Programas\TeamViewer3

2008-07-04 17:07 . 2008-07-04 17:07 <DIR> d-------- C:\Documents and Settings\pedro\temp

2008-07-04 17:07 . 2008-07-04 17:07 <DIR> d-------- C:\Documents and Settings\pedro\Application Data\TeamViewer

2008-07-04 00:21 . 2008-07-04 00:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer

2008-07-04 00:19 . 2008-07-04 00:19 <DIR> d-------- C:\Programas\Apple Software Update

2008-07-04 00:19 . 2008-07-04 00:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

2008-07-04 00:06 . 2008-07-22 10:08 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Definições locais

2008-07-04 00:06 . 2008-07-22 10:08 <DIR> d-------- C:\Documents and Settings\pedro\Definições locais

2008-07-04 00:06 . 2008-07-22 10:08 <DIR> d-------- C:\Documents and Settings\NetworkService\Definições locais

2008-07-04 00:06 . 2008-07-22 10:08 <DIR> d-------- C:\Documents and Settings\Marta\Definições locais

2008-07-04 00:06 . 2008-07-22 10:08 <DIR> d-------- C:\Documents and Settings\LocalService\Definições locais

2008-07-04 00:06 . 2008-07-22 10:08 <DIR> d-------- C:\Documents and Settings\Catarina\Definições locais

2008-07-03 00:23 . 2008-07-04 00:45 <DIR> d-------- C:\Programas\SpywareBlaster

2008-07-01 23:14 . 2008-07-01 23:15 <DIR> d-------- C:\Programas\Panda Security

2008-07-01 21:28 . 2008-07-01 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-07-01 00:11 . 2008-07-01 00:11 <DIR> d-------- C:\Programas\Trend Micro

2008-06-30 01:03 . 2008-06-30 01:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-06-30 00:52 . 2008-06-30 00:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8

2008-06-28 22:35 . 2008-07-06 14:07 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2008-06-28 22:00 . 2008-06-28 22:00 0 --a------ C:\WINDOWS\TPTray.INI

2008-06-28 18:31 . 2008-06-28 18:31 0 --a------ C:\WINDOWS\CePMTray.INI

2008-06-28 16:52 . 2008-06-28 16:52 <DIR> d-------- C:\WINDOWS\system32\HouseCall 6.6

2008-06-28 16:52 . 2008-06-28 16:52 <DIR> d-------- C:\Documents and Settings\pedro\Application Data\HouseCall 6.6

 

.

((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-17 23:32 --------- d-----w C:\Programas\Macromedia

2008-07-17 22:27 --------- d--h--w C:\Programas\InstallShield Installation Information

2008-07-11 10:12 --------- d-----w C:\Documents and Settings\pedro\Application Data\FileZilla

2008-07-10 20:43 --------- d-----w C:\Programas\Google

2008-07-03 23:25 --------- d-----w C:\Programas\QuickTime

2008-06-26 12:18 13,646 ----a-w C:\WINDOWS\E220AutoRunLog.tmp

2008-06-20 17:41 248,320 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

2008-06-15 14:53 --------- d-----w C:\Programas\Easy GIF Animator

2008-06-14 17:59 272,640 ------w C:\WINDOWS\system32\drivers\bthport.sys

2008-06-11 21:30 --------- d-----w C:\Documents and Settings\pedro\Application Data\MySQL

2008-06-10 17:56 71,688 ----a-w C:\WINDOWS\system32\drivers\epfw.sys

2008-06-10 17:56 54,280 ----a-w C:\WINDOWS\system32\drivers\epfwtdi.sys

2008-06-10 17:56 30,728 ----a-w C:\WINDOWS\system32\drivers\epfwndis.sys

2008-06-10 17:48 53,256 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys

2008-06-10 17:47 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys

2008-05-31 11:42 --------- d-----w C:\Documents and Settings\Marta\Application Data\PC Suite

2008-05-30 21:38 --------- d-----w C:\Documents and Settings\pedro\Application Data\AdobeUM

2008-05-29 21:42 --------- d-----w C:\Programas\Ficheiros comuns\Adobe

2008-05-27 21:53 --------- dcsh--w C:\Programas\Ficheiros comuns\WindowsLiveInstaller

2008-05-27 21:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller

2008-05-27 21:44 --------- d-----w C:\Programas\Windows Live

2008-05-24 22:04 --------- d-----w C:\Programas\McDonaldsFairies

2008-05-24 21:47 --------- d-----w C:\Documents and Settings\Catarina\Application Data\PC Suite

2008-05-07 05:15 1,294,336 ----a-w C:\WINDOWS\system32\quartz.dll

2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

.

 

------- Sigcheck -------

 

2007-12-05 01:06 505344 410f13a4657b9c1f096b474e4031c293 C:\WINDOWS\system32\winlogon.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{079BD04D-B1B0-4197-8635-6849A3BD1E1E}]

2008-07-21 20:23 245760 --a------ C:\WINDOWS\system32\jkkHWPHA.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="C:\Programas\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-16 09:49 65536]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

"AlcoholAutomount"="C:\Programas\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 17:46 217544]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 22:10 339968]

"PadTouch"="C:\Programas\TOSHIBA\PadTouch\PadExe.exe" [2004-02-12 13:04 1019904]

"PRONoMgr.exe"="C:\Programas\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 03:36 86016]

"CeEPOWER"="C:\Programas\TOSHIBA\Power Management\CePMTray.exe" [2004-08-18 11:21 135168]

"CeEKEY"="C:\Programas\TOSHIBA\E-KEY\CeEKey.exe" [2004-08-06 16:14 643072]

"EzButton"="C:\Programas\EzButton\EzButton.EXE" [2004-07-07 15:25 712704]

"TPNF"="C:\Programas\TOSHIBA\TouchPad\TPTray.exe" [2004-07-28 17:23 53248]

"ZoomingHook"="c:\WINDOWS\System32\ZoomingHook.exe" [2004-07-14 17:07 24576]

"Adobe_ID0EYTHM"="C:\PROGRA~1\FICHEI~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 17:40 1884160]

"Acrobat Assistant 7.0"="C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]

"SunJavaUpdateSched"="C:\Programas\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2006-06-15 13:36 229376]

"Google Desktop Search"="C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-04 22:36 29744]

"QuickTime Task"="C:\Programas\QuickTime\qttask.exe" [2008-05-27 10:50 413696]

"egui"="C:\Programas\ESET\ESET Smart Security\egui.exe" [2008-06-10 18:52 1447168]

"AGRSMMSG"="AGRSMMSG.exe" [2004-02-21 04:00 88363 C:\WINDOWS\agrsmmsg.exe]

"Internet Explorer Sys32"="isys32.exe" [2008-07-18 00:47 20480 C:\WINDOWS\isys32.exe]

 

C:\Documents and Settings\Catarina\Menu Iniciar\Programas\Arranque\

Fairies.lnk - C:\Programas\McDonaldsFairies\McDonaldsFairies.exe [2008-05-24 23:03:27 2361239]

 

C:\Documents and Settings\pedro\Menu Iniciar\Programas\Arranque\

Adobe Gamma.lnk - C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 21:16:50 113664]

ApacheMonitor.lnk - C:\Programas\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2007-09-05 10:00:34 41041]

 

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\

Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1034-4700-7760-000000000002}\SC_Acrobat.exe [2007-12-05 00:27:39 25214]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

2003-12-16 09:32 110592 C:\WINDOWS\system32\LgNotify.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-10-13 17:24 1694208 C:\Programas\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\WINDOWS\\system32\\fxsclnt.exe"=

"C:\\Programas\\Messenger\\msmsgs.exe"=

"C:\\Programas\\TeamViewer3\\TeamViewer.exe"=

 

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]

R2 Apache2.2;Apache2.2;C:\Programas\Apache Software Foundation\Apache2.2\bin\httpd.exe [2007-09-05 09:59]

S3 GoogleDesktopManager-051608-133132;Gerenciador do Google Desktop 5.7.805.16405;C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe [2008-06-04 22:36]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1017ffce-a67b-11dc-aaeb-000e35768441}]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tmn.msi AUTORUN=1

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b133400c-a500-11dc-aaea-000e35768441}]

\Shell\AutoRun\command - E:\LaunchU3.exe -a

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C2-99CB-11CF-AYX5-00401C648513}]

C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhi64.exe

.

.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,Start Page = hxxp://www.google.pt/ig?hl=pt-PT&source=iglk

R1 -: HKCU-Internet Settings,ProxyOverride = *.local

R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/keyword/%s

O8 -: Converter destino de link em Adobe PDF - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 -: Converter destino de link em PDF existente - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 -: Converter em Adobe PDF - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 -: Converter em PDF existente - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 -: Converter links selecionados em Adobe PDF - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 -: Converter links selecionados em PDF existente - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 -: Converter seleção em Adobe PDF - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 -: Converter seleção em PDF existente - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 -: E&xportar para o Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

 

O16 -: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://prerelease.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

C:\WINDOWS\Downloaded Program Files\hcImpl.inf

 

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-22 11:29:58

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializ veis ocultas ...

 

Procurando ficheiros ocultos ...

 

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]

"ImagePath"="\"C:\Programas\Apache Software Foundation\Apache2.2\mysql\bin\mysqld\" --defaults-file=\"C:\Programas\Apache Software Foundation\Apache2.2\mysql\my.ini\" \"MySQL\""

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\ati2evxx.exe

C:\WINDOWS\system32\S24EvMon.exe

C:\WINDOWS\system32\acs.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\system32\1XConfig.exe

C:\Programas\Bonjour\mDNSResponder.exe

C:\Programas\TOSHIBA\Power Management\CeEPwrSvc.exe

C:\Programas\ESET\ESET Smart Security\ekrn.exe

C:\Programas\Apache Software Foundation\Apache2.2\mysql\bin\mysqld.exe

C:\WINDOWS\system32\RegSrvc.exe

C:\Programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\Programas\Ficheiros comuns\PCSuite\Services\ServiceLayer.exe

.

**************************************************************************

.

Tempo para conclusÆo: 2008-07-22 11:39:17 - machine was rebooted

ComboFix-quarantined-files.txt 2008-07-22 10:38:09

 

Pre-Run: 16,733,548,544 bytes livres

Post-Run: 16,722,329,600 bytes livres

 

191 --- E O F --- 2008-07-10 07:24:47

 

 

 

 

 

Log HIJACK

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:40:00, on 22-07-2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\S24EvMon.exe

C:\WINDOWS\system32\ACS.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\system32\1XConfig.exe

C:\Programas\Apache Software Foundation\Apache2.2\bin\httpd.exe

C:\Programas\Bonjour\mDNSResponder.exe

C:\Programas\TOSHIBA\Power Management\CeEPwrSvc.exe

C:\Programas\ESET\ESET Smart Security\ekrn.exe

C:\Programas\Apache Software Foundation\Apache2.2\bin\httpd.exe

C:\Programas\Apache Software Foundation\Apache2.2\mysql\bin\mysqld.exe

C:\WINDOWS\system32\RegSrvc.exe

C:\Programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Programas\TOSHIBA\PadTouch\PadExe.exe

C:\Programas\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Programas\TOSHIBA\Power Management\CePMTray.exe

C:\Programas\TOSHIBA\E-KEY\CeEKey.exe

C:\Programas\EzButton\EzButton.EXE

C:\Programas\TOSHIBA\TouchPad\TPTray.exe

C:\WINDOWS\System32\ZoomingHook.exe

C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Programas\Java\jre1.6.0_05\bin\jusched.exe

C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe

C:\WINDOWS\isys32.exe

C:\Programas\ESET\ESET Smart Security\egui.exe

C:\Programas\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe

C:\Programas\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe

C:\Programas\Ficheiros comuns\PCSuite\Services\ServiceLayer.exe

C:\WINDOWS\explorer.exe

C:\Programas\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/ig?hl=pt-PT&source=iglk

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {079BD04D-B1B0-4197-8635-6849A3BD1E1E} - C:\WINDOWS\system32\jkkHWPHA.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [PadTouch] "C:\Programas\TOSHIBA\PadTouch\PadExe.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Programas\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [CeEPOWER] C:\Programas\TOSHIBA\Power Management\CePMTray.exe

O4 - HKLM\..\Run: [CeEKEY] C:\Programas\TOSHIBA\E-KEY\CeEKey.exe

O4 - HKLM\..\Run: [EzButton] C:\Programas\EzButton\EzButton.EXE

O4 - HKLM\..\Run: [TPNF] C:\Programas\TOSHIBA\TouchPad\TPTray.exe

O4 - HKLM\..\Run: [ZoomingHook] c:\WINDOWS\System32\ZoomingHook.exe

O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\FICHEI~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [internet Explorer Sys32] isys32.exe

O4 - HKLM\..\Run: [egui] "C:\Programas\ESET\ESET Smart Security\egui.exe" /hide /waitservice

O4 - HKCU\..\Run: [TOSCDSPD] C:\Programas\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Programas\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

O4 - Startup: Adobe Gamma.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: ApacheMonitor.lnk = C:\Programas\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O8 - Extra context menu item: Converter destino de link em Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Converter destino de link em PDF existente - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Converter em Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Converter em PDF existente - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Converter links selecionados em Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Converter links selecionados em PDF existente - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Converter seleção em Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Converter seleção em PDF existente - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programas\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Programas\Ficheiros comuns\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe

O23 - Service: Apache2.2 - Apache Software Foundation - C:\Programas\Apache Software Foundation\Apache2.2\bin\httpd.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programas\Bonjour\mDNSResponder.exe

O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Programas\TOSHIBA\Power Management\CeEPwrSvc.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Programas\ESET\ESET Smart Security\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Programas\ESET\ESET Smart Security\ekrn.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Gerenciador do Google Desktop 5.7.805.16405 (GoogleDesktopManager-051608-133132) - Google - C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programas\Ficheiros comuns\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: MySQL - Unknown owner - C:\Programas\Apache.exe (file missing)

O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

O23 - Service: ServiceLayer - Nokia. - C:\Programas\Ficheiros comuns\PCSuite\Services\ServiceLayer.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

 

--

End of file - 10058 bytes

[jgarcia 1]

Opa pteixeira,

 

Siga as instruções:

 

1. Abra o Bloco de Notas -> Copie (Control + C) e Cole (Control + V) todo o texto incluído no "Quote":

File::

C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhi64.exe

C:\WINDOWS\system32\rcslpcdf.ini

C:\WINDOWS\system32\jkkHWPHA.dll

C:\WINDOWS\BM9f3b5939.xml

C:\WINDOWS\isys32.exe

E:\LaunchU3.exe

Folder::

C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{079BD04D-B1B0-4197-8635-6849A3BD1E1E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Internet Explorer Sys32"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000000

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 1 (0x1)

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1017ffce-a67b-11dc-aaeb-000e35768441}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b133400c-a500-11dc-aaea-000e35768441}]

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C2-99CB-11CF-AYX5-00401C648513}]

ATENÇÃO: O script acima foi elaborado especifícamente para a infecção contida neste computador. Utilizá-lo em outra máquina poderá originar graves problemas ao usuário.

• 2. Salve o arquivo como CFScript.txt;
   
  3. Tal como exemplificado na foto abaixo, arraste o arquivo CFScript.txt para o ComboFix.exe.
  
   
  4. Ao término do processo a ferramenta irá gerar um log. Poste-o (C:\ComboFix.txt) em sua próxima resposta, juntamente com um novo log do HijackThis.
  

Abraços.

[pteixeira 0]

Caro Garcia, como combinado anexo POST

 

HIJACK

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:55:32, on 23-07-2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\S24EvMon.exe

C:\WINDOWS\system32\ACS.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programas\Apache Software Foundation\Apache2.2\bin\httpd.exe

C:\Programas\Bonjour\mDNSResponder.exe

C:\Programas\TOSHIBA\Power Management\CeEPwrSvc.exe

C:\Programas\ESET\ESET Smart Security\ekrn.exe

C:\Programas\Apache Software Foundation\Apache2.2\mysql\bin\mysqld.exe

C:\Programas\Apache Software Foundation\Apache2.2\bin\httpd.exe

C:\WINDOWS\system32\RegSrvc.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\system32\1XConfig.exe

C:\WINDOWS\Explorer.EXE

C:\Programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Programas\TOSHIBA\PadTouch\PadExe.exe

C:\Programas\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Programas\TOSHIBA\Power Management\CePMTray.exe

C:\Programas\TOSHIBA\E-KEY\CeEKey.exe

C:\Programas\EzButton\EzButton.EXE

C:\Programas\TOSHIBA\TouchPad\TPTray.exe

C:\WINDOWS\System32\ZoomingHook.exe

C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Programas\Java\jre1.6.0_05\bin\jusched.exe

C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe

C:\Programas\ESET\ESET Smart Security\egui.exe

C:\Programas\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programas\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe

C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe

C:\Programas\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe

C:\Programas\Ficheiros comuns\PCSuite\Services\ServiceLayer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Programas\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/ig?hl=pt-PT&source=iglk

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [PadTouch] "C:\Programas\TOSHIBA\PadTouch\PadExe.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Programas\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [CeEPOWER] C:\Programas\TOSHIBA\Power Management\CePMTray.exe

O4 - HKLM\..\Run: [CeEKEY] C:\Programas\TOSHIBA\E-KEY\CeEKey.exe

O4 - HKLM\

[jgarcia 1]

Opa pteixeira,

 

O log do HijackThis está incompleto e você esqueceu de postar o do ComboFix.

 

Abraços.

[pteixeira 0]

COMBOFIX

 

ComboFix 08-07-20.A0 - pedro 2008-07-23 11:37:25.8 - NTFSx86

Executando de: C:\Documents and Settings\pedro\Ambiente de trabalho\ComboFix.exe

Command switches used :: C:\Documents and Settings\pedro\Ambiente de trabalho\CFScript.txt

* Criado um novo ponto de restauro

* Resident AV is active

 

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

FILE ::

C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhi64.exe

C:\WINDOWS\BM9f3b5939.xml

C:\WINDOWS\isys32.exe

C:\WINDOWS\system32\jkkHWPHA.dll

C:\WINDOWS\system32\rcslpcdf.ini

E:\LaunchU3.exe

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\isys32.exe

C:\WINDOWS\pskt.ini

C:\WINDOWS\system32\mcrh.tmp

C:\WINDOWS\system32\rcslpcdf.ini

 

.

((((((((((((((((((((((( Ficheiros criados de 2008-06-23 to 2008-07-23 ))))))))))))))))))))))))))))))))

.

 

2008-07-23 06:03 . 2008-07-23 06:03 <DIR> d-------- C:\Programas\Malwarebytes' Anti-Malware

2008-07-23 06:03 . 2008-07-23 06:03 <DIR> d-------- C:\Documents and Settings\pedro\Application Data\Malwarebytes

2008-07-23 06:03 . 2008-07-23 06:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-07-23 06:03 . 2008-07-20 20:21 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-07-23 06:03 . 2008-07-20 20:21 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-07-22 23:26 . 2008-07-22 23:28 469,024 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2008-07-22 23:26 . 2008-07-22 23:28 6,572 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx

2008-07-22 10:11 . 2008-07-22 10:11 <DIR> d-------- C:\Programas\ESET

2008-07-22 00:46 . 2008-07-22 00:44 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

2008-07-22 00:44 . 2008-07-22 00:46 <DIR> d-------- C:\Documents and Settings\pedro\.housecall6.6

2008-07-18 21:28 . 2008-07-21 20:28 <DIR> d-------- C:\Programas\Yahoo!

2008-07-18 21:28 . 2008-07-18 21:28 <DIR> d-------- C:\Programas\CCleaner

2008-07-17 23:29 . 2008-07-18 00:32 <DIR> d-------- C:\Programas\Ficheiros comuns\Macromedia

2008-07-08 22:56 . 2008-07-08 22:56 <DIR> d-------- C:\Programas\Astonsoft

2008-07-08 22:56 . 2008-07-08 23:04 <DIR> d-------- C:\Documents and Settings\pedro\Application Data\DeepBurner

2008-07-08 22:10 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys

2008-07-04 17:07 . 2008-07-04 17:07 <DIR> d-------- C:\Programas\TeamViewer3

2008-07-04 17:07 . 2008-07-04 17:07 <DIR> d-------- C:\Documents and Settings\pedro\temp

2008-07-04 17:07 . 2008-07-04 17:07 <DIR> d-------- C:\Documents and Settings\pedro\Application Data\TeamViewer

2008-07-04 00:21 . 2008-07-04 00:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer

2008-07-04 00:19 . 2008-07-04 00:19 <DIR> d-------- C:\Programas\Apple Software Update

2008-07-04 00:19 . 2008-07-04 00:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

2008-07-04 00:06 . 2008-07-22 11:39 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Definiþ§es locais

2008-07-04 00:06 . 2008-07-22 11:39 <DIR> d-------- C:\Documents and Settings\pedro\Definiþ§es locais

2008-07-04 00:06 . 2008-07-22 11:39 <DIR> d-------- C:\Documents and Settings\NetworkService\Definiþ§es locais

2008-07-04 00:06 . 2008-07-22 11:39 <DIR> d-------- C:\Documents and Settings\Marta\Definiþ§es locais

2008-07-04 00:06 . 2008-07-22 11:39 <DIR> d-------- C:\Documents and Settings\LocalService\Definiþ§es locais

2008-07-04 00:06 . 2008-07-22 11:39 <DIR> d-------- C:\Documents and Settings\Catarina\Definiþ§es locais

2008-07-03 00:23 . 2008-07-04 00:45 <DIR> d-------- C:\Programas\SpywareBlaster

2008-07-01 23:14 . 2008-07-01 23:15 <DIR> d-------- C:\Programas\Panda Security

2008-07-01 21:28 . 2008-07-01 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-07-01 00:11 . 2008-07-01 00:11 <DIR> d-------- C:\Programas\Trend Micro

2008-06-30 01:03 . 2008-06-30 01:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-06-30 00:52 . 2008-06-30 00:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8

2008-06-28 22:35 . 2008-07-06 14:07 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2008-06-28 22:00 . 2008-06-28 22:00 0 --a------ C:\WINDOWS\TPTray.INI

2008-06-28 18:31 . 2008-06-28 18:31 0 --a------ C:\WINDOWS\CePMTray.INI

2008-06-28 16:52 . 2008-06-28 16:52 <DIR> d-------- C:\WINDOWS\system32\HouseCall 6.6

2008-06-28 16:52 . 2008-06-28 16:52 <DIR> d-------- C:\Documents and Settings\pedro\Application Data\HouseCall 6.6

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-17 23:32 --------- d-----w C:\Programas\Macromedia

2008-07-17 22:27 --------- d--h--w C:\Programas\InstallShield Installation Information

2008-07-11 10:12 --------- d-----w C:\Documents and Settings\pedro\Application Data\FileZilla

2008-07-10 20:43 --------- d-----w C:\Programas\Google

2008-07-03 23:25 --------- d-----w C:\Programas\QuickTime

2008-06-26 12:18 13,646 ----a-w C:\WINDOWS\E220AutoRunLog.tmp

2008-06-20 17:41 248,320 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

2008-06-15 14:53 --------- d-----w C:\Programas\Easy GIF Animator

2008-06-14 17:59 272,640 ------w C:\WINDOWS\system32\drivers\bthport.sys

2008-06-11 21:30 --------- d-----w C:\Documents and Settings\pedro\Application Data\MySQL

2008-06-10 17:56 71,688 ----a-w C:\WINDOWS\system32\drivers\epfw.sys

2008-06-10 17:56 54,280 ----a-w C:\WINDOWS\system32\drivers\epfwtdi.sys

2008-06-10 17:56 30,728 ----a-w C:\WINDOWS\system32\drivers\epfwndis.sys

2008-06-10 17:48 53,256 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys

2008-06-10 17:47 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys

2008-05-31 11:42 --------- d-----w C:\Documents and Settings\Marta\Application Data\PC Suite

2008-05-30 21:38 --------- d-----w C:\Documents and Settings\pedro\Application Data\AdobeUM

2008-05-29 21:42 --------- d-----w C:\Programas\Ficheiros comuns\Adobe

2008-05-27 21:53 --------- dcsh--w C:\Programas\Ficheiros comuns\WindowsLiveInstaller

2008-05-27 21:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller

2008-05-27 21:44 --------- d-----w C:\Programas\Windows Live

2008-05-24 22:04 --------- d-----w C:\Programas\McDonaldsFairies

2008-05-24 21:47 --------- d-----w C:\Documents and Settings\Catarina\Application Data\PC Suite

2008-05-07 05:15 1,294,336 ----a-w C:\WINDOWS\system32\quartz.dll

2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

.

 

------- Sigcheck -------

 

2007-12-05 01:06 505344 410f13a4657b9c1f096b474e4031c293 C:\WINDOWS\system32\winlogon.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="C:\Programas\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-16 09:49 65536]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

"AlcoholAutomount"="C:\Programas\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 17:46 217544]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 22:10 339968]

"PadTouch"="C:\Programas\TOSHIBA\PadTouch\PadExe.exe" [2004-02-12 13:04 1019904]

"PRONoMgr.exe"="C:\Programas\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 03:36 86016]

"CeEPOWER"="C:\Programas\TOSHIBA\Power Management\CePMTray.exe" [2004-08-18 11:21 135168]

"CeEKEY"="C:\Programas\TOSHIBA\E-KEY\CeEKey.exe" [2004-08-06 16:14 643072]

"EzButton"="C:\Programas\EzButton\EzButton.EXE" [2004-07-07 15:25 712704]

"TPNF"="C:\Programas\TOSHIBA\TouchPad\TPTray.exe" [2004-07-28 17:23 53248]

"ZoomingHook"="c:\WINDOWS\System32\ZoomingHook.exe" [2004-07-14 17:07 24576]

"Adobe_ID0EYTHM"="C:\PROGRA~1\FICHEI~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 17:40 1884160]

"Acrobat Assistant 7.0"="C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]

"SunJavaUpdateSched"="C:\Programas\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2006-06-15 13:36 229376]

"Google Desktop Search"="C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-04 22:36 29744]

"QuickTime Task"="C:\Programas\QuickTime\qttask.exe" [2008-05-27 10:50 413696]

"egui"="C:\Programas\ESET\ESET Smart Security\egui.exe" [2008-06-10 18:52 1447168]

"AGRSMMSG"="AGRSMMSG.exe" [2004-02-21 04:00 88363 C:\WINDOWS\agrsmmsg.exe]

 

C:\Documents and Settings\Catarina\Menu Iniciar\Programas\Arranque\

Fairies.lnk - C:\Programas\McDonaldsFairies\McDonaldsFairies.exe [2008-05-24 23:03:27 2361239]

 

C:\Documents and Settings\pedro\Menu Iniciar\Programas\Arranque\

Adobe Gamma.lnk - C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 21:16:50 113664]

ApacheMonitor.lnk - C:\Programas\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2007-09-05 10:00:34 41041]

 

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\

Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1034-4700-7760-000000000002}\SC_Acrobat.exe [2007-12-05 00:27:39 25214]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

2003-12-16 09:32 110592 C:\WINDOWS\system32\LgNotify.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-10-13 17:24 1694208 C:\Programas\Messenger\msmsgs.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\WINDOWS\\system32\\fxsclnt.exe"=

"C:\\Programas\\Messenger\\msmsgs.exe"=

"C:\\Programas\\TeamViewer3\\TeamViewer.exe"=

 

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]

R2 Apache2.2;Apache2.2;C:\Programas\Apache Software Foundation\Apache2.2\bin\httpd.exe [2007-09-05 09:59]

S3 GoogleDesktopManager-051608-133132;Gerenciador do Google Desktop 5.7.805.16405;C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe [2008-06-04 22:36]

 

*Newly Created Service* - CATCHME

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-23 11:42:04

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]

"ImagePath"="\"C:\Programas\Apache Software Foundation\Apache2.2\mysql\bin\mysqld\" --defaults-file=\"C:\Programas\Apache Software Foundation\Apache2.2\mysql\my.ini\" \"MySQL\""

.

Tempo para conclusão: 2008-07-23 11:48:35

ComboFix-quarantined-files.txt 2008-07-23 10:48:02

ComboFix2.txt 2008-07-22 10:39:18

 

Pre-Run: 16,698,347,520 bytes livres

Post-Run: 16,689,471,488 bytes livres

 

164 --- E O F --- 2008-07-10 07:24:47

 

HIJACK

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:47:41, on 23-07-2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\S24EvMon.exe

C:\WINDOWS\system32\ACS.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\1XConfig.exe

C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Programas\TOSHIBA\PadTouch\PadExe.exe

C:\Programas\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Programas\TOSHIBA\Power Management\CePMTray.exe

C:\Programas\TOSHIBA\E-KEY\CeEKey.exe

C:\Programas\EzButton\EzButton.EXE

C:\Programas\TOSHIBA\TouchPad\TPTray.exe

C:\WINDOWS\System32\ZoomingHook.exe

C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Programas\Java\jre1.6.0_05\bin\jusched.exe

C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe

C:\Programas\ESET\ESET Smart Security\egui.exe

C:\Programas\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programas\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe

C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe

C:\Programas\Apache Software Foundation\Apache2.2\bin\httpd.exe

C:\Programas\Bonjour\mDNSResponder.exe

C:\Programas\TOSHIBA\Power Management\CeEPwrSvc.exe

C:\Programas\ESET\ESET Smart Security\ekrn.exe

C:\Programas\Apache Software Foundation\Apache2.2\mysql\bin\mysqld.exe

C:\Programas\Apache Software Foundation\Apache2.2\bin\httpd.exe

C:\WINDOWS\system32\RegSrvc.exe

C:\Programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\Programas\Ficheiros comuns\PCSuite\Services\ServiceLayer.exe

C:\Programas\Internet Explorer\iexplore.exe

C:\Programas\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe

C:\DOCUME~1\pedro\DEFINI~1\Temp\Adobelm_Cleanup.0001

C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

C:\DOCUME~1\pedro\DEFINI~1\Temp\Adobelm_Cleanup.0001

C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe

C:\Programas\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/ig?hl=pt-PT&source=iglk

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [PadTouch] "C:\Programas\TOSHIBA\PadTouch\PadExe.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Programas\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [CeEPOWER] C:\Programas\TOSHIBA\Power Management\CePMTray.exe

O4 - HKLM\..\Run: [CeEKEY] C:\Programas\TOSHIBA\E-KEY\CeEKey.exe

O4 - HKLM\..\Run: [EzButton] C:\Programas\EzButton\EzButton.EXE

O4 - HKLM\..\Run: [TPNF] C:\Programas\TOSHIBA\TouchPad\TPTray.exe

O4 - HKLM\..\Run: [ZoomingHook] c:\WINDOWS\System32\ZoomingHook.exe

O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\FICHEI~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [egui] "C:\Programas\ESET\ESET Smart Security\egui.exe" /hide /waitservice

O4 - HKCU\..\Run: [TOSCDSPD] C:\Programas\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Programas\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

O4 - Startup: Adobe Gamma.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: ApacheMonitor.lnk = C:\Programas\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O8 - Extra context menu item: Converter destino de link em Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Converter destino de link em PDF existente - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Converter em Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Converter em PDF existente - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Converter links selecionados em Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Converter links selecionados em PDF existente - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Converter seleção em Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Converter seleção em PDF existente - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programas\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Programas\Ficheiros comuns\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe

O23 - Service: Apache2.2 - Apache Software Foundation - C:\Programas\Apache Software Foundation\Apache2.2\bin\httpd.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programas\Bonjour\mDNSResponder.exe

O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Programas\TOSHIBA\Power Management\CeEPwrSvc.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Programas\ESET\ESET Smart Security\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Programas\ESET\ESET Smart Security\ekrn.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Gerenciador do Google Desktop 5.7.805.16405 (GoogleDesktopManager-051608-133132) - Google - C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programas\Ficheiros comuns\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: MySQL - Unknown owner - C:\Programas\Apache.exe (file missing)

O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

O23 - Service: ServiceLayer - Nokia. - C:\Programas\Ficheiros comuns\PCSuite\Services\ServiceLayer.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

 

--

End of file - 10223 bytes

[pteixeira 0]

Oi Garcia, peço desculpa, mas n respondes-te ao POST.

 

Isso quer disser que o mesmo está limpo?

 

Obrigado.

[jgarcia 1]

Oi Garcia, peço desculpa, mas n respondes-te ao POST.

 

Isso quer disser que o mesmo está limpo?

É o que vamos ver. ;)

 

O Malwarebytes AntiMalware é um produto relativamente novo, porém com grande eficácia na remoção de infecções comuns. O programa é pequeno, gratuito e em português.

 

A sua instalação é o primeiro passo para a limpeza de um sistema operacional infectado.

 

Neste tutorial você aprenderá a instalá-lo e executá-lo.

 

1) Primeiramente faça o download do programa:

http://www.malwarebytes.org/mbam/program/mbam-setup.exe

 

2) Agora proceda a instalação do programa, conforme segue:

 

Execute o programa de instalação:

 

Logo após a execução do arquivo de instalação, será exibida a seguinte tela:

 

Agora, clique em Instalar para concluir:

 

Ao término da instalação deixe marcadas as opções de Atualização e Execução:

 

Será exibida então a tela de atualização do programa:

 

3) Essa é a tela inicial do programa. Marque a opção Verificação Completa e clique no botão Verificar.

 

Aguarde até o final da verificação:

 

Ao concluir a verificação, será exibida essa mensagem:

 

O resultado da verificação será exibido, com o nome dos arquivos e malwares encontrados.

Para efetivar a limpeza, clique em Remover selecionados:

 

Para concluir a limpeza haverá a necessidade da reinicialização do computador:

 

O programa guarda os logs das verificações feitas na pasta C:\Documents and Settings\Seu nome de Usuario\Dados de aplicativos\Malwarebytes\Malwarebytes' Anti-Malware\Logs, que também pode ser acessados na aba Logs, dentro do programa.

 

Retorne com o resultado da varredura.

 

Créditos: Fabio Assolini.

 

Link para a postagem original: aqui.

[pteixeira 0]

Entretanto quando o Windows arranca aparece a msg de WINDOWS MEMORIA VIRTUAL DEMASIADO BAIXA

 

Malwarebytes' Anti-Malware 1.23Versão do banco de dados: 985Windows 5.1.2600 Service Pack 20:32:43 31-07-2008mbam-log-7-31-2008 (00-32-43).txtTipo de Verificação: Completa (C:\|)Objetos verificados: 224612Tempo decorrido: 1 hour(s), 13 minute(s), 0 second(s)Processos da Memória infectados: 0Módulos de Memória Infectados: 0Chaves do Registo infectadas: 0Valores do Registo infectados: 0Ítens do Registo infectados: 0Pastas infectadas: 0Ficheiros infectados: 1Processos da Memória infectados:(Nenhum item malicioso foi detectado)Módulos de Memória Infectados:(Nenhum item malicioso foi detectado)Chaves do Registo infectadas:(Nenhum item malicioso foi detectado)Valores do Registo infectados:(Nenhum item malicioso foi detectado)Ítens do Registo infectados:(Nenhum item malicioso foi detectado)Pastas infectadas:(Nenhum item malicioso foi detectado)Ficheiros infectados:C:\System Volume Information\_restore{087DC17E-FF1E-41FB-8201-2D21C0A6CAC2}\RP4\A0001203.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

[jgarcia 1]

Opa pteixeira,

 

1. Baixe o Kaspersky Virus Removal Tool.

 

2. O arquivo possui 19 Mb, mas o resultado compensará o trabalho.

 

3. Reinicie a máquina em Modo Seguro >> Se não conseguir utilize a ferramenta SafeBootKeyRepair para reparar a chave SafeBoot.

 

4. Execute a ferramenta dando duplo-clique sobre o arquivo baixado.

 

5. Abrir-se-á a seguinte janela:

 

6. Marque os diretórios que deseja varrer (é melhor marcar todos).

 

7. Clique em Scan e aguarde o término do processo.

 

8. Terminada a varredura, retorne com o resultado.

 

Abraços.

[pteixeira 0]

Viva Garcia, esta é a minha máquina lá de casa.

 

Como tal deixei de ser forreta e investi num antivirus comprei o PANDA IS 2008 que já detetou e eliminou os Spywares que estavam alojados na memória.

 

Assim sendo agradeço-te na mesma todo o esforço e dedicação que demonstras-te para resolver este problema.

 

 

----------

Mas neste momento estou é preocupado com o problema do PC de contabilidade do meu trabalho

 

Já estás a dar uma ajuda mas sei que está dificil, sempre que é colocado algo em USB o erro dispara, desta vez foi um CABO USB de uma máq. digital

http://forum.imasters.com.br/index.php...;p=1093343&

[jgarcia 1]

Viva Garcia, esta é a minha máquina lá de casa.

 

Como tal deixei de ser forreta e investi num antivirus comprei o PANDA IS 2008 que já detetou e eliminou os Spywares que estavam alojados na memória.

 

Assim sendo agradeço-te na mesma todo o esforço e dedicação que demonstras-te para resolver este problema.

 

 

----------

Mas neste momento estou é preocupado com o problema do PC de contabilidade do meu trabalho

 

Já estás a dar uma ajuda mas sei que está dificil, sempre que é colocado algo em USB o erro dispara, desta vez foi um CABO USB de uma máq. digital

http://forum.imasters.com.br/index.php...;p=1093343&

Este caso pode ser considerado resolvido, então?