[Resolvido!]Será Vírus?

Lais_ · Agosto 9, 2008

Será que é vírus?

Desinstalei o Norton do meu PC e o utilizei por um dia sem vírus, após isso esta lento demais , hoje mesmo coloquei o avast home e ele esta dando alerta de trojan e virus na memória e sempre tenho que reiniciar o micro para ele fazer Scan antes de iniciar o Win.

Dados do Micro: 512 RAM, 80 GB de HD , Windows XP.

Abaixo o Log que salvei do HijackThis, desde já agradeço a ajuda:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:49:14, on 8/8/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\avast\Avast4\aswUpdSv.exe

C:\Arquivos de programas\avast\Avast4\ashServ.exe

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\system32\rundll32.exe

C:\ARQUIV~1\avast\Avast4\ashDisp.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\a-squared Free\a2service.exe

C:\Arquivos de programas\Ahead\bin\ibguard.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\slserv.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\avast\Avast4\ashMaiSv.exe

C:\Arquivos de programas\avast\Avast4\ashWebSv.exe

C:\Arquivos de programas\Ahead\bin\ibserver.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\Arquivos de programas\Windows Live\Messenger\usnsvc.exe

C:\Arquivos de programas\a-squared Free\a2free.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rededosaber.sp.gov.br/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {21327959-7568-49C0-89E4-57AE710998F4} - C:\WINDOWS\system32\fcccbaaw.dll (file missing)

O2 - BHO: (no name) - {57F10F1F-F32C-4F95-AA8A-1A280C478670} - C:\WINDOWS\system32\ljJCrPFx.dll

O2 - BHO: {6f2c1777-a058-190a-0b94-cb4fcaf6c036} - {630c6fac-f4bc-49b0-a091-850a7771c2f6} - C:\WINDOWS\system32\uygmxz.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Lais\lsass.exe

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257

O4 - HKLM\..\Run: [485f9526] rundll32.exe "C:\WINDOWS\system32\ihirbtkt.dll",b

O4 - HKLM\..\Run: [bM4b6ca6ba] Rundll32.exe "C:\WINDOWS\system32\cialyhes.dll",s

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\avast\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe

O4 - HKCU\..\Run: [tava] C:\WINDOWS\system32\tavo.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Arquivos de programas\MP3 Player Utilities 4.00\AMVConverter\grab.html

O8 - Extra context menu item: Add to AMV Converter... - C:\Arquivos de programas\MP3 Player Utilities 4.15\AMVConverter\grab.html

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Arquivos de programas\MP3 Player Utilities 4.15\MediaManager\grab.html

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{8AD19CD9-6D0B-46AB-895F-9C92F0FC7D8B}: NameServer = 200.204.0.10 200.204.0.10

O20 - Winlogon Notify: ljJCrPFx - C:\WINDOWS\SYSTEM32\ljJCrPFx.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\a-squared Free\a2service.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\avast\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\avast\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\avast\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\avast\Avast4\ashWebSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Arquivos de programas\Ahead\bin\ibguard.exe

O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Arquivos de programas\Ahead\bin\ibserver.exe

O23 - Service: MySql - Unknown owner - C:/Arquivos de programas/mysql4.0/bin/mysqld-nt.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Center\SymWSC.exe

--

End of file - 7459 bytes

DigRam · Agosto 9, 2008

Boa Noite! Lais_

<!> Existem,principalmente,infecções pelo Vundo.

-------------------------

<@> Baixe: < ComboFix.exe >

<@> Salve-o no Desktop!

<@> Desabilite as proteções residente de: antivírus,antispywares e Firewall.( Menos o do Windows! )

<@> Feche todas as janelas e execute a ferramenta!

Caso aconteça a notificação de: Aplicativo Win32 inválido,delete a ferramenta e faça,novamente,o download.
Salve-a no Desktop,renomeada como: Kombo.exe

Ps: Nomeie durante o salvamento,e não após salvá-la!

Ps: Caso ocorra alguma mensagem de erro,rode o ComboFix em Modo de Segurança.

<@> Abrirá a janela Auto Scan. Aguarde!

<@> Digite a opção para continuar e < Enter >

<@> Aguarde a conclusão! Durante o scan,evite tocar no mouse ou teclado!

<@> Para parar ou sair do ComboFix,tecle "N".

-------------------------

<@> Poste os relatórios: C:\ComboFix.txt,na sua resposta + Log do HJT,atualizado.

Abraços!

Lais_ · Agosto 9, 2008

Boa Noite DigRam :)

Abaixo o relatorio do ComboFix:

ComboFix 08-08-08.07 - Lais 2008-08-09 0:18:59.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.209 [GMT -3:00]

Executando de: C:\Documents and Settings\Lais\Desktop\ComboFix.exe

* Criado um novo ponto de restauro

ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Autorun.inf

C:\l1.cmd

C:\smss24.ini

C:\Temp\1cb

C:\Temp\1cb\syscheck.log

C:\tyktjfww.exe

C:\WINDOWS\BM4b6ca6ba.txt

C:\WINDOWS\BM4b6ca6ba.xml

C:\WINDOWS\pskt.ini

C:\WINDOWS\system32\Cfx32.lic

C:\WINDOWS\system32\cfx32.ocx

C:\WINDOWS\system32\ckvo.exe

C:\WINDOWS\system32\ckvo0.dll

C:\WINDOWS\system32\ckvo1.dll

C:\WINDOWS\system32\fffajc.dll

C:\WINDOWS\system32\hdbulnrj.dll

C:\WINDOWS\system32\ihirbtkt.dll

C:\WINDOWS\system32\kavo.exe

C:\WINDOWS\system32\kavo0.dll

C:\WINDOWS\system32\kavo1.dll

C:\WINDOWS\system32\ljJCrPFx.dll

C:\WINDOWS\system32\MSINET.oca

C:\WINDOWS\system32\mwfgpljt.ini

C:\WINDOWS\system32\opnkifff.dll

C:\WINDOWS\system32\pac.txt

C:\WINDOWS\system32\qoMEWPFU.dll

C:\WINDOWS\system32\smss24.ini

C:\WINDOWS\system32\ssqPgEwU.dll

C:\WINDOWS\system32\tavo.exe

C:\WINDOWS\system32\tavo0.dll

C:\WINDOWS\system32\tavo1.dll

C:\WINDOWS\system32\tktbrihi.ini

C:\WINDOWS\system32\vieivldk.ini

C:\WINDOWS\system32\waabcccf.ini

C:\WINDOWS\system32\waabcccf.ini2

.

((((((((((((((((((((((( Ficheiros criados de 2008-07-09 to 2008-08-09 ))))))))))))))))))))))))))))))))

.

2008-08-08 18:01 . 2008-08-08 18:01 <DIR> d-------- C:\Arquivos de programas\avast

2008-08-08 16:13 . 2008-08-08 16:13 312 --a------ C:\calc.sav

2008-08-08 08:24 . 2008-08-08 08:24 2,048 --a------ C:\WINDOWS\system32\mcjifrli.exe

2008-08-08 08:06 . 2008-08-08 08:06 2,048 --a------ C:\WINDOWS\system32\cumbybbp.exe

2008-08-07 23:23 . 2008-08-07 23:23 <DIR> d-------- C:\WINDOWS\system32\vpe

2008-08-07 23:23 . 2008-08-08 18:52 <DIR> d-------- C:\WINDOWS\system32\kBin02

2008-08-07 23:23 . 2008-08-08 11:45 <DIR> d-------- C:\WINDOWS\system32\crc4

2008-08-07 23:23 . 2008-08-07 23:23 <DIR> d-------- C:\Temp\epr1

2008-08-07 23:23 . 2008-08-09 00:19 <DIR> d-------- C:\Temp

2008-08-07 23:23 . 2008-08-07 23:23 77 --a------ C:\Documents and Settings\Lais\1489.bat

2008-08-02 20:12 . 2008-08-02 20:13 782,675 --a------ C:\email do cara para montar rede wireless.rar

2008-08-02 20:12 . 2008-08-02 20:13 126,976 --a------ C:\Rede sem fios.doc

2008-08-02 20:00 . 2008-08-02 20:00 17,570 --a------ C:\antena radio 4.jpg

2008-08-02 19:59 . 2008-08-02 19:59 43,434 --a------ C:\antena radio.jpg

2008-08-02 19:22 . 2008-08-02 19:22 1,303 ---hs---- C:\AlbumArt_{4F4F4DD6-F552-4CE1-AAA4-CA75D4B863CD}_Large.jpg

2008-08-02 19:22 . 2008-08-02 19:22 727 ---hs---- C:\AlbumArt_{4F4F4DD6-F552-4CE1-AAA4-CA75D4B863CD}_Small.jpg

2008-07-31 13:32 . 2008-07-31 13:32 <DIR> d-------- C:\Documents and Settings\Lais\Dados de aplicativos\Yahoo!

2008-07-31 10:30 . 2008-07-31 10:30 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Yahoo!

2008-07-19 11:44 . 2008-07-19 13:31 <DIR> d-------- C:\AUTOCAD

2008-07-15 10:45 . 2008-07-15 10:45 <DIR> d-------- C:\Documents and Settings\Lais\Dados de aplicativos\iLike

2008-07-15 10:45 . 2008-07-15 10:45 <DIR> d-------- C:\Arquivos de programas\iLike

2008-07-14 10:06 . 2008-07-14 10:06 <DIR> d-------- C:\Documents and Settings\Lais\Dados de aplicativos\PlayFirst

2008-07-14 10:06 . 2008-07-14 10:06 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\PlayFirst

2008-07-13 17:05 . 2003-05-12 20:25 503,808 --a------ C:\WINDOWS\system32\mpeg2dmx.ax

2008-07-13 17:05 . 2005-11-25 22:46 421,888 --a------ C:\WINDOWS\system32\RealMediaSplitter.ax

2008-07-13 17:05 . 2001-08-18 20:00 262,144 --a------ C:\WINDOWS\system32\mpg4ds32.axu

2008-07-13 17:05 . 2003-05-21 01:10 210,432 --a------ C:\WINDOWS\system32\mpgdec.ax

2008-07-13 17:05 . 2004-04-30 21:46 28,672 --a------ C:\WINDOWS\system32\t3odm.dll

2008-07-11 15:44 . 2008-07-11 15:53 <DIR> d-------- C:\Arquivos de programas\Avanquest update

2008-07-11 15:40 . 2008-07-11 21:42 <DIR> d-------- C:\Arquivos de programas\Motorola Phone Tools

.

((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-09 03:01 --------- d-----w C:\Arquivos de programas\a-squared Free

2008-08-08 01:04 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Symantec Shared

2008-08-07 23:53 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Symantec

2008-08-07 23:53 --------- d-----w C:\Arquivos de programas\Norton AntiVirus

2008-08-07 23:36 --------- d-----w C:\Arquivos de programas\Yahoo!

2008-07-29 22:15 --------- d-----w C:\Arquivos de programas\Zylom Games

2008-07-29 20:51 --------- d-----w C:\Documents and Settings\Lais\Dados de aplicativos\Zylom

2008-07-18 23:50 --------- d-----w C:\Arquivos de programas\Java

2008-07-13 20:18 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\DVD Shrink

2008-07-12 03:02 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\BVRP Software

2008-07-12 00:39 92,064 ----a-w C:\Documents and Settings\Lais\mqdmmdm.sys

2008-07-12 00:39 9,232 ----a-w C:\Documents and Settings\Lais\mqdmmdfl.sys

2008-07-12 00:39 79,328 ----a-w C:\Documents and Settings\Lais\mqdmserd.sys

2008-07-12 00:39 66,656 ----a-w C:\Documents and Settings\Lais\mqdmbus.sys

2008-07-12 00:39 6,208 ----a-w C:\Documents and Settings\Lais\mqdmcmnt.sys

2008-07-12 00:39 5,936 ----a-w C:\Documents and Settings\Lais\mqdmwhnt.sys

2008-07-12 00:39 4,048 ----a-w C:\Documents and Settings\Lais\mqdmcr.sys

2008-07-12 00:39 25,600 ----a-w C:\Documents and Settings\Lais\usbsermptxp.sys

2008-07-12 00:39 22,768 ----a-w C:\Documents and Settings\Lais\usbsermpt.sys

2008-07-11 18:44 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information

2008-07-03 01:15 22,768 ----a-w C:\WINDOWS\system32\drivers\usbsermpt.sys

2008-06-28 17:47 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Wextech Shared

2008-06-28 17:47 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Adobe

2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

2008-06-14 17:59 272,384 ------w C:\WINDOWS\system32\drivers\bthport.sys

2006-09-11 23:18 769 -c--a-w C:\Arquivos de programas\PD9log.txt

2002-07-25 07:42 1,452,268 -c--a-w C:\Arquivos de programas\pdvbs9.chm

2002-07-19 18:27 12,566 -c--a-w C:\Arquivos de programas\readme.txt

2002-07-16 14:46 124,698 -c--a-w C:\Arquivos de programas\tch950.wri

2001-11-19 15:15 345,944 ----a-w C:\Arquivos de programas\tch900.wri

2001-11-17 10:17 2,556 -c--a-w C:\Arquivos de programas\xmlReleaseNotes.txt

2007-09-12 12:19 8,784 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\ractrlkeyhook.dll

2007-09-12 12:22 245,408 ----a-w C:\Arquivos de programas\mozilla firefox\plugins\unicows.dll

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

REGEDIT4

*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Arquivos de programas\Messenger\msmsgs.exe" [2004-10-13 13:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 23:45 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.l3codec"= l3codecp.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Windows32.exe]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Windows32.exe

backup=C:\WINDOWS\pss\Windows32.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2007-05-08 16:24 54840 C:\Arquivos de programas\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2004-10-13 13:24 1694208 C:\Arquivos de programas\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 09:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

--a--c--- 2003-12-08 16:35 32768 C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]

--a------ 2007-07-14 12:37 95960 C:\ARQUIV~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"C:\\Arquivos de programas\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"C:\\Arquivos de programas\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"C:\\Arquivos de programas\\HP\\HP Software Update\\HPWUCli.exe"=

"C:\\WINDOWS\\system32\\rtcshare.exe"=

"C:\\Arquivos de programas\\Google\\Google Talk\\googletalk.exe"=

"C:\\Arquivos de programas\\MSN\\MSNCoreFiles\\msn6.exe"=

"C:\\Arquivos de programas\\NetMeeting\\conf.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"C:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=

"C:\\Arquivos de programas\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"C:\\Arquivos de programas\\Yahoo!\\Messenger\\YServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"12794:TCP"= 12794:TCP:BitComet 12794 TCP

"12794:UDP"= 12794:UDP:BitComet 12794 UDP

"19532:TCP"= 19532:TCP:BitComet 19532 TCP

"19532:UDP"= 19532:UDP:BitComet 19532 UDP

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 11:35]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 11:37]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 14:09]

S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Arquivos de programas\LogMeIn\x86\RaInfo.sys []

S3 slnt;Real RTL8139 PCI Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\slnt.sys [2003-11-20 01:58]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{620c319f-21f3-11dd-8376-0013d454cff4}]

\Shell\AutoRun\command - E:\93vx0c.com

\Shell\explore\Command - E:\93vx0c.com

\Shell\open\Command - E:\93vx0c.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{897201b2-748a-11dc-80f3-0013d454cff4}]

\Shell\AutoRun\command - E:\tyktjfww.exe

\Shell\explore\Command - E:\tyktjfww.exe

\Shell\open\Command - E:\tyktjfww.exe

.

Conte£do da pasta 'Tarefas Agendadas'

2008-08-09 C:\WINDOWS\Tasks\Symantec NetDetect.job

- C:\Arquivos de programas\Symantec\LiveUpdate\NDETECT.EXE [2003-08-19 19:20]

.

- - - - ORFAOS REMOVIDOS - - - -

BHO-{21327959-7568-49C0-89E4-57AE710998F4} - C:\WINDOWS\system32\fcccbaaw.dll

BHO-{630c6fac-f4bc-49b0-a091-850a7771c2f6} - C:\WINDOWS\system32\uygmxz.dll

HKCU-Run-kamsoft - C:\WINDOWS\system32\ckvo.exe

HKLM-Run-485f9526 - C:\WINDOWS\system32\ihirbtkt.dll

HKLM-Run-BM4b6ca6ba - C:\WINDOWS\system32\cialyhes.dll

MSConfigStartUp-ccApp - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe

MSConfigStartUp-LogMeIn GUI - C:\Arquivos de programas\LogMeIn\x86\LogMeInSystray.exe

MSConfigStartUp-msbcs - C:\WINDOWS\system32\msbcs.exe

MSConfigStartUp-msgr - C:\WINDOWS\system32\msgr.exe

MSConfigStartUp-QuickTime Task - C:\Arquivos de programas\QuickTime\qttask.exe

MSConfigStartUp-RealTray - C:\Arquivos de programas\Real\RealPlayer\RealPlay.exe

MSConfigStartUp-SunJavaUpdateSched - C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe

MSConfigStartUp-SymantecFilterCheck - C:\WINDOWS\system32\gmilogof.exe

MSConfigStartUp-Windows32 - C:\Arquivos de programas\System\Windows32.exe

MSConfigStartUp-WinZip - C:\WINDOWS\system32\wzip32.exe

.

------- Ccan Suplementar -------

.

FireFox -: Profile - C:\Documents and Settings\Lais\Dados de aplicativos\Mozilla\Firefox\Profiles\k2288k3u.default\

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-09 00:26:12

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializ veis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySql]

"ImagePath"="C:/Arquivos de programas/mysql4.0/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySql]

"ImagePath"="C:/Arquivos de programas/mysql4.0/bin/mysqld-nt.exe"

.

------------------------ Outros Processos em Execu‡Æo ------------------------

.

C:\Arquivos de programas\avast\Avast4\aswUpdSv.exe

C:\Arquivos de programas\avast\Avast4\ashServ.exe

C:\Arquivos de programas\a-squared Free\a2service.exe

C:\Arquivos de programas\Ahead\bin\ibguard.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\HPZipm12.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\Arquivos de programas\avast\Avast4\ashMaiSv.exe

C:\Arquivos de programas\avast\Avast4\ashWebSv.exe

C:\Arquivos de programas\Ahead\bin\ibserver.exe

.

**************************************************************************

.

Tempo para conclusÆo: 2008-08-09 0:36:29 - Maquina reiniciou

ComboFix-quarantined-files.txt 2008-08-09 03:36:19

Pre-Run: 17 pasta(s) 67,357,179,904 bytes disponíveis

Post-Run: 22 pasta(s) 67,450,806,272 bytes dispon¡veis

249 --- E O F --- 2008-07-09 17:45:28

Lais_ · Agosto 9, 2008

Agora o Log do HijackThis:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:38:42, on 9/8/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\avast\Avast4\aswUpdSv.exe

C:\Arquivos de programas\avast\Avast4\ashServ.exe

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\a-squared Free\a2service.exe

C:\Arquivos de programas\Ahead\bin\ibguard.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\HPZipm12.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\avast\Avast4\ashMaiSv.exe

C:\Arquivos de programas\avast\Avast4\ashWebSv.exe

C:\Arquivos de programas\Ahead\bin\ibserver.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Arquivos de programas\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rededosaber.sp.gov.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896