[Resolvido!] - Análise de LOG - Hijack this

[Chillaca 0]

Logfile of HijackThis v1.99.1

Scan saved at 13:36:34, on 26/8/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\ICEOWS\ViewUpd\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\Spy\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [HP Software Update] "C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [lphcg3kj0er9n] C:\WINDOWS\system32\lphcg3kj0er9n.exe

O4 - HKLM\..\Run: [sMrhcl3kj0er9n] C:\Arquivos de programas\rhcl3kj0er9n\rhcl3kj0er9n.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spy\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\acstart17.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Inicialização rápida do HP Image Zone.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqthb08.exe

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\Spy\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\Spy\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

[DigRam 144]

Boa Tarde! Chillaca

 

<@> Faça o download do ComboFix.exe.

<@> Baixe-o para o Desktop!

<@> Desabilite as proteções residente de: antivírus,antispywares e firewall. ( Menos o do Windows! )

<@> Feche todas as janelas e execute a ferramenta!

 

Caso aconteça a notificação de: Aplicativo Win32 inválido,delete a ferramenta e faça,novamente,o download.

Salve-a no desktop,renomeada como: Kombo.exe

Ps: Nomeie durante o salvamento,e não após salvá-la!

Ps: Caso ocorra alguma mensagem de erro,rode o ComboFix.exe em Modo de Segurança.

<@> Abrirá a janela Auto Scan. Aguarde!

<@> Digite a opção para continuar! >> Enter

<@> Aguarde a conclusão!

<@> Durante o scan,evite manusear o mouse ou teclado!

<@> Para parar ou sair do ComboFix,tecle "N".

----------------------

<@> Poste os relatórios: C:\ComboFix.txt + Log do HJT,atualizado.

 

Abraços!

[Chillaca 0]

Olá DigRam,

só estou conseguindo fazer uso do computador em modo de seguranca, quando rodei o COMBOFIX, apareceu a seguinte mensagem junto a um bip na torre:

Combofix has detected the presence of rootkit activity and needs to reboot the machine.

 

Eu já reinicializei mas dei o mesmo de novo.

Grato

[DigRam 144]

Olá DigRam,

só estou conseguindo fazer uso do computador em modo de seguranca, quando rodei o COMBOFIX, apareceu a seguinte mensagem junto a um bip na torre:

Combofix has detected the presence of rootkit activity and needs to reboot the machine.

 

Eu já reinicializei mas dei o mesmo de novo.

Grato

----------------------

Opa! Chillaca

 

<@> BAIXE: < Kaspersky Virus Removal Tool >

-----------------------------

<@> Faça o download da atualização mais recente! <-- Observe as datas!

<@> Salve-o em Arquivos de Programas!

<@> Reinicie o computador,em Modo de Segurança! <-- Importante!

<@> Execute a ferramenta,com um duplo-clique,em seu executável.

<@> Abrir-se-á,a seguinte janela:

 

 

<@> Na opção: Manual Cure,marque todas as caixas e clique em Scan.

<@> Terminando o scan,copie e poste o relatório.

 

Ps: Confirme a solicitação de remoção,aos arquivos detectados!

Abraços!

[Chillaca 0]

Boa noite DigRam!

Aqui vai o relatório do Kaspersky como pedido.

 

 

Scan

----

Scanned: 412487

Detected: 7

Untreated: 0

Start time: 26/8/2008 17:04:33

Duration: 03:59:35

Finish time: 26/8/2008 21:04:08

 

 

Detected

--------

Status Object

------ ------

deleted: riskware not-a-virus:FraudTool.Win32.XPAntivirus.qj File: C:\WINDOWS\system32\2.tmp

deleted: riskware not-a-virus:FraudTool.Win32.XPAntivirus.qj File: C:\WINDOWS\system32\3.tmp

deleted: riskware not-a-virus:FraudTool.Win32.XPAntivirus.qj File: C:\WINDOWS\system32\4.tmp

deleted: riskware not-a-virus:FraudTool.Win32.XPAntivirus.qj File: C:\WINDOWS\system32\5.tmp

deleted: riskware not-a-virus:FraudTool.Win32.XPAntivirus.qj File: C:\WINDOWS\system32\6.tmp

deleted: riskware not-a-virus:FraudTool.Win32.XPAntivirus.qj File: C:\WINDOWS\system32\7.tmp

deleted: riskware not-a-virus:FraudTool.Win32.XPAntivirus.qj File: C:\WINDOWS\system32\pphcg3kj0er9n.exe

 

 

Events

------

Time Name Status Reason

---- ---- ------ ------

 

 

Statistics

----------

Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted

------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------

 

 

Settings

--------

Parameter Value

--------- -----

Security Level Recommended

Action Prompt for action when the scan is complete

Run mode Manually

File types Scan all files

Scan only new and changed files No

Scan archives All

Scan embedded OLE objects All

Skip if object is larger than No

Skip if scan takes longer than No

Parse email formats No

Scan password-protected archives No

Enable iChecker technology No

Enable iSwift technology No

Show detected threats on "Detected" tab Yes

Rootkits search Yes

Deep rootkits search No

Use heuristic analyzer Yes

 

 

Quarantine

----------

Status Object Size Added

------ ------ ---- -----

 

 

Backup

------

Status Object Size

------ ------ ----

 

Grato

[DigRam 144]

Boa Noite! Chillaca

 

<@> Faça o download do SmitfraudFix.

<@> Salve-o no Disco Local-C.

<@> Descompacte a ferramenta,e reserve o executável. ( SmitfraudFix.cmd )

<@> Reinicie o computador em Modo de Segurança!

<@> Execute o SmitfraudFix.cmd,com um duplo-clique.

<@> Aperte a opção 2 --> Enter.

<@> Quando aparecer a mensagem: Do you want to clean the registry,aperte a opção Y.

<@> Aperte Enter!

<@> Reinicie,normalmente,o computador!

<@> Caso tenha ocorrido mudanças,no desktop,corrija nas propriedades de vídeo.( Tema )

<@> Copie o Log ( rapport.txt ) e poste,na sua resposta + HijackThis,atualizado.

 

Abraços!

[Chillaca 0]

Prontinho DigRam, aqui vai:

 

SmitFraudFix v2.339

 

Scan done at 22:00:03,29, ter 26/08/2008

Run from C:\SmitfraudFix

OS: Microsoft Windows XP [versÆo 5.1.2600] - Windows_NT

The filesystem type is

Fix run in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{A3717295-941D-416F-9384-ED1736729F1C}"="scpLIB"

 

[HKEY_CLASSES_ROOT\CLSID\{A3717295-941D-416F-9384-ED1736729F1C}\InProcServer32]

@="C:\Arquivos de programas\Scpad\scpLIB.dll"

 

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A3717295-941D-416F-9384-ED1736729F1C}\InProcServer32]

@="C:\Arquivos de programas\Scpad\scpLIB.dll"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

 

127.0.0.1 localhost

 

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

 

VACFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

 

S!Ri's WS2Fix: LSP not Found.

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

C:\DOCUME~1\ALLUSE~1\MENUIN~1\Antivirus XP 2008.lnk Deleted

 

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

 

IEDFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

 

404Fix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix

 

AntiXPVSTFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

 

[!] Malware.Win32.EncPk-DA.gen

O4 - HKLM\..\Run: [lphcg3kj0er9n] C:\WINDOWS\system32\lphcg3kj0er9n.exe

Deleting C:\WINDOWS\system32\lphcg3kj0er9n.exe

lphcg3kj0er9n.exe Deleted

 

[!] Suspicious file

C:\WINDOWS\system32\phcg3kj0er9n.bmp

Deleting C:\WINDOWS\system32\phcg3kj0er9n.bmp

phcg3kj0er9n.bmp Deleted

 

[!] Suspicious file

C:\WINDOWS\system32\blphcg3kj0er9n.scr

Deleting C:\WINDOWS\system32\blphcg3kj0er9n.scr

blphcg3kj0er9n.scr Deleted

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» RK

 

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7EBEFC5C-796C-4D3D-A725-0B8388C66ADA}: DhcpNameServer=10.1.1.1

HKLM\SYSTEM\CS1\Services\Tcpip\..\{7EBEFC5C-796C-4D3D-A725-0B8388C66ADA}: DhcpNameServer=10.1.1.1

HKLM\SYSTEM\CS2\Services\Tcpip\..\{7EBEFC5C-796C-4D3D-A725-0B8388C66ADA}: DhcpNameServer=10.1.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.1

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.1

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{A3717295-941D-416F-9384-ED1736729F1C}"="scpLIB"

 

[HKEY_CLASSES_ROOT\CLSID\{A3717295-941D-416F-9384-ED1736729F1C}\InProcServer32]

@="C:\Arquivos de programas\Scpad\scpLIB.dll"

 

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A3717295-941D-416F-9384-ED1736729F1C}\InProcServer32]

@="C:\Arquivos de programas\Scpad\scpLIB.dll"

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

 

 

e HJT atualizado:

 

Logfile of HijackThis v1.99.1

Scan saved at 22:05:47, on 26/8/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\cleanmgr.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Administrador\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\Spy\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [HP Software Update] "C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sMrhcl3kj0er9n] C:\Arquivos de programas\rhcl3kj0er9n\rhcl3kj0er9n.exe

O4 - HKLM\..\Run: [combofix] "C:\WINDOWS\system32\CF29390.exe" /c "C:\327882R2FWJFW\C.bat"

O4 - HKLM\..\Run: [is-AVCTE] "C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-AVCTE\is-AVCTE.exe"

O4 - HKLM\..\RunOnce: [combofix] "C:\WINDOWS\system32\CF29390.exe" /c "C:\327882R2FWJFW\C.bat"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spy\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\acstart17.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Inicialização rápida do HP Image Zone.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqthb08.exe

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\Spy\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\Spy\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: is-AVCTE - Unknown owner - C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-AVCTE\is-AVCTE.exe" -r (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

[DigRam 144]

Bom Dia! Chillaca

 

<@> Abra o Spybot Search & Destroy!

<@> No menu superior,vá em Modo e selecione a opção Avançado. Confirme!

<@> Clique no botão Ferramentas e depois em Residente.

<@> Desmarque a opção: Ativar "TeaTimer" do Residente. ( Proteção geral das configurações de sistema )

-----------------------

<@> Abra o HijackThis --> Clique: Do a system scan only

<@> Assinale as caixinhas,destas entradas.

 

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

 

O4 - HKLM\..\Run: [sMrhcl3kj0er9n] C:\Arquivos de programas\rhcl3kj0er9n\rhcl3kj0er9n.exe

 

O4 - HKLM\..\Run: [combofix] "C:\WINDOWS\system32\CF29390.exe" /c "C:\327882R2FWJFW\C.bat"

 

O4 - HKLM\..\RunOnce: [combofix] "C:\WINDOWS\system32\CF29390.exe" /c "C:\327882R2FWJFW\C.bat"

<@> Finalize-as,clicando em Fix checked.

-----------------------

<@> Faça uma busca/pesquisa e,caso encontre,pode deletar.

 

C:\Arquivos de programas\rhcl3kj0er9n\rhcl3kj0er9n.exe <-- Este executável!

 

C:\WINDOWS\system32\CF29390.exe <-- Este executável!

 

C:\327882R2FWJFW\C.bat <-- Este batfile!

 

C:\Arquivos de programas\rhcl3kj0er9n <-- A pasta!

 

C:\327882R2FWJFW <-- A pasta!

------------------------

<@> Vá a este Link,e baixe:

 

< Malwarebytes >

 

<@> Atualize o programa!

<@> Escolha o escaneamento Completo! ( Full Scan )

<@> Desabilite programas de proteção,ao executar o malwarebytes.

<@> Procure enviar os ítens,detectados,para a quarentena.

<@> Para maiores detalhes: < Link >

-----------------------

<@> Poste,os relatórios: mbam-log-8-26-2008 (00-00-00).txt + HijackThis,atualizado.

 

Abraços!

[Chillaca 0]

Bom dia DigRam,

 

processo feito e relatórios a seguir (dois relatórios do malware, um de antes de deletar

arquivos infectados e outro de depois de eliminados)

 

Antes de deletar:

 

Malwarebytes' Anti-Malware 1.25

Versão do banco de dados: 1088

Windows 5.1.2600 Service Pack 2

 

09:43:29 27/8/2008

mbam-log-08-27-2008 (09-43-29).txt

 

Tipo de Verificação: Completa (C:\|)

Objetos verificados: 87345

Tempo decorrido: 39 minute(s), 33 second(s)

 

Processos da Memória infectados: 0

Módulos de Memória Infectados: 0

Chaves do Registro infectadas: 3

Valores do Registro infectados: 4

Ítens do Registro infectados: 2

Pastas infectadas: 11

Arquivos infectados: 5

 

Processos da Memória infectados:

(Nenhum ítem malicioso foi detectado)

 

Módulos de Memória Infectados:

(Nenhum ítem malicioso foi detectado)

 

Chaves do Registro infectadas:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

 

Valores do Registro infectados:

HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

 

Ítens do Registro infectados:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

 

Pastas infectadas:

C:\Documents and Settings\Desq\Dados de aplicativos\rhcl3kj0er9n (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Desq\Dados de aplicativos\rhcl3kj0er9n\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Desq\Dados de aplicativos\rhcl3kj0er9n\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Desq\Dados de aplicativos\rhcl3kj0er9n\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Desq\Dados de aplicativos\rhcl3kj0er9n\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Desq\Dados de aplicativos\rhcl3kj0er9n\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Desq\Dados de aplicativos\rhcl3kj0er9n\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Desq\Dados de aplicativos\rhcl3kj0er9n\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Desq\Dados de aplicativos\rhcl3kj0er9n\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Desq\Dados de aplicativos\rhcl3kj0er9n\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Desq\Dados de aplicativos\rhcl3kj0er9n\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

 

Arquivos infectados:

C:\WINDOWS\Downloaded Program Files\scpsssh2.inf (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.

C:\Documents and Settings\Desq\Dados de aplicativos\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

 

 

 

Depois de eliminados os arquivos:

 

Malwarebytes' Anti-Malware 1.25

Versão do banco de dados: 1088

Windows 5.1.2600 Service Pack 2

 

09:40:49 27/8/2008

mbam-log-08-27-2008 (09-40-35).txt

 

Tipo de Verificação: Completa (C:\|)

Objetos verificados: 87345

Tempo decorrido: 39 minute(s), 33 second(s)

 

Processos da Memória infectados: 0

Módulos de Memória Infectados: 0

Chaves do Registro infectadas: 3

Valores do Registro infectados: 4

Ítens do Registro infectados: 2

Pastas infectadas: 11

Arquivos infectados: 5

 

Processos da Memória infectados:

(Nenhum ítem malicioso foi detectado)

 

Módulos de Memória Infectados:

(Nenhum ítem malicioso foi detectado)

 

Chaves do Registro infectadas:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken.

 

Valores do Registro infectados:

HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> No action taken.

HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> No action taken.

HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> No action taken.

HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> No action taken.

 

Ítens do Registro infectados:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

 

Pastas infectadas:

C:\Documents and Settings\Desq\Dados de aplicativos\rhcl3kj0er9n (Rogue.Multiple) -> No action taken.

C:\Documents and Settings\Desq\Dados de aplicativos\rhcl3kj0er9n\Quarantine (Rogue.Multiple) -> No action taken.

C:\Documents and Settings\Desq\Dados de aplicativos\rhcl3kj0er9n\Quarantine\Autorun (Rogue.Multiple) -> No action taken.

C:\Documents and Settings\Desq\Dados de aplicativos\rhcl3kj0er9n\Quarantine\Autorun\HKCU (Rogue.Multiple) -> No action taken.

C:\Documents and Settings\Desq\Dados de aplicativos\rhcl3kj0er9n\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> No action taken.

C:\Documents and Settings\Desq\Dados de aplicativos\rhcl3kj0er9n\Quarantine\Autorun\HKLM (Rogue.Multiple) -> No action taken.

C:\Documents and Settings\Desq\Dados de aplicativos\rhcl3kj0er9n\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> No action taken.

C:\Documents and Settings\Desq\Dados de aplicativos\rhcl3kj0er9n\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> No action taken.

C:\Documents and Settings\Desq\Dados de aplicativos\rhcl3kj0er9n\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> No action taken.

C:\Documents and Settings\Desq\Dados de aplicativos\rhcl3kj0er9n\Quarantine\BrowserObjects (Rogue.Multiple) -> No action taken.

C:\Documents and Settings\Desq\Dados de aplicativos\rhcl3kj0er9n\Quarantine\Packages (Rogue.Multiple) -> No action taken.

 

Arquivos infectados:

C:\WINDOWS\Downloaded Program Files\scpsssh2.inf (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> No action taken.

C:\Documents and Settings\Desq\Dados de aplicativos\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> No action taken.

 

 

E HJT:

 

Logfile of HijackThis v1.99.1

Scan saved at 10:00:41, on 27/8/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\Arquivos de programas\QuickTime\QTTask.exe

C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\HP\Digital Imaging\bin\hpqgalry.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\Arquivos de programas\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\Spy\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [HP Software Update] "C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [is-AVCTE] "C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-AVCTE\is-AVCTE.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\acstart17.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Inicialização rápida do HP Image Zone.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqthb08.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\Spy\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\Spy\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: is-AVCTE - Unknown owner - C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-AVCTE\is-AVCTE.exe" -r (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

 

Valeu

Abraços

[DigRam 144]

Bom Dia! Chillaca

 

<@> Baixe: < Runscanner v. 1.7.0.0 >

<@> Salve-o no Disco Local-C,e descompacte-o aí mesmo.

<@> Estabeleça um atalho,na área de trabalho,para o executável. ( RunScanner.exe )

<@> Abra o programa e,com o botão Expert mode já marcado,clique Ok.

<@> Feche todas as janelas/programas,antes de executar este utilitário.

<@> Rode-o,clicando em Scan computer. Aguarde!

<@> Terminando,clique no menu: Online analysis

<@> Abrirá a página: online malware analysis report

---------------------

<@> Poste,na sua resposta,o Link referente à esta análise. ( Ps: Cole o endereço! )

 

Abraços!

[Chillaca 0]

Bom dia DigRam,

desculpe a ausência mas tive que viajar a trabalho de surpresa.

Tentei gerar a página da net com o relatório do Runscanner e fui barrado por um erro. De qualquer jeito vou tentar novamente e tirei um relatório tipo LOG do scan.

Se quiser ver tá aqui:

 

Runscanner logfile http://www.runscanner.net

 

* = signed file

- = file not found

 

General info

------------

Computer name : ESCRITORIO

Creation time : 29/8/2008 00:30:38

Hosts <> 127.0.0.1 : 0

Hosts file location : %SystemRoot%\System32\drivers\etc

IE version : 7.0.5730.13

OS : Microsoft Windows XP

OS Build : 2600

OS SP : Service Pack 2

RunScanner Version : 1.7.0.0

User Language : Português (Brasil)

User rights : Administrator

Windows folder : C:\WINDOWS

 

Running processes

-----------------

C:\Arquivos de programas\HP\Digital Imaging\bin\hpqgalry.exe (Hewlett-Packard Co.)

* C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation)

* C:\WINDOWS\system32\services.exe (Microsoft Corporation)

* C:\WINDOWS\System32\alg.exe (Microsoft Corporation)

* C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe (ALWIL Software)

* C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)

* C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)

* C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe (ALWIL Software)

* C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)

* C:\WINDOWS\system32\csrss.exe (Microsoft Corporation)

* C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)

* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)

* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)

* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)

* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)

* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)

* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)

* c:\windows\System32\smss.exe (Microsoft Corporation)

C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)

C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)

C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Company)

* C:\WINDOWS\system32\lsass.exe (Microsoft Corporation)

* C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)

* C:\Arquivos de programas\MSN Messenger\msnmsgr.exe (Microsoft Corporation)

C:\Arquivos de programas\QuickTime\QTTask.exe (Apple Inc.)

* C:\Documents and Settings\Desq\Desktop\RunScanner.exe (Runscanner.net)

* C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation)

* C:\WINDOWS\Explorer.EXE (Microsoft Corporation)

* C:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation)

* C:\WINDOWS\system32\wuauclt.exe (Microsoft Corporation)

* C:\WINDOWS\system32\wuauclt.exe (Microsoft Corporation)

 

Unrated items

-------------

002 * C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe (ALWIL Software)

002 C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)

002 C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Company)

002 C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-AVCTE\is-AVCTE.exe (Kaspersky Lab)

002 C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)

002 C:\Arquivos de programas\QuickTime\QTTask.exe (Apple Inc.)

002 C:\WINDOWS\system32\SiSPower.dll (Silicon Integrated Systems Corporation)

005 * C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\acstart17.exe (Autodesk, Inc)

005 C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)

005 C:\Arquivos de programas\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Co.)

010 * C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe (Autodesk Licensing Service)

010 * C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe (avast! Antivirus)

010 * C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe (avast! iAVS4 Control Service)

010 * C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe (avast! Mail Scanner)

010 * C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe (avast! Web Scanner)

010 C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-AVCTE\is-AVCTE.exe (is-AVCTE)

010 C:\WINDOWS\system32\HPZipm12.exe (Pml Driver HPZ12)

011 * C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys (aswFsBlk)

011 * C:\WINDOWS\system32\drivers\aswRdr.sys (aswRdr)

011 * C:\WINDOWS\system32\drivers\Aavmker4.sys (avast! Asynchronous Virus Monitor)

011 * C:\WINDOWS\system32\drivers\aswTdi.sys (avast! Network Shield Support)

011 * C:\WINDOWS\system32\drivers\aswSP.sys (avast! Self Protection)

011 * C:\WINDOWS\system32\drivers\aswMon2.sys (avast! Standard Shield Support)

011 * C:\WINDOWS\system32\drivers\68804311.sys (is-AVCTEdrv)

011 C:\WINDOWS\system32\DRIVERS\smserial.sys (smserial)

011 C:\WINDOWS\system32\drivers\viaudios.sys (Vinyl AC'97 Audio Controller (WDM))

031 C:\Arquivos de programas\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company) {CF184AD3-CDCB-4168-A3F7-8E447D129300}

031 C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation) {0A9007C0-4076-11D3-8789-0000F8105754}

041 C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL (ZoneAlarm) {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA}

045 C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL (ZoneAlarm) {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

051 C:\Arquivos de programas\Scpad\scpLIB.dll (Scopus Tecnologia Ltda) {A3717295-941D-416F-9384-ED1736729F1C}

052 C:\Arquivos de programas\Scpad\scpsssh2.dll (Scopus Tecnologia Ltda) {2E3C3651-B19C-4DD9-A979-901EC3E930AF}

052 C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL (ZoneAlarm) {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}

060 C:\Arquivos de programas\Scpad\scpLIB.dll (Scopus Tecnologia Ltda) {A3717295-941D-416F-9384-ED1736729F1C}

061 * C:\WINDOWS\system32\AcSignIcon.dll (Autodesk) {36A21736-36C2-4C11-8ACB-D4136F2B57BD}

061 * C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Thumbnail\AcThumbnail16.dll (Autodesk) {AC1DB655-4F9A-4c39-8AD2-A65324A4C446}

061 * C:\Arquivos de programas\Alwil Software\Avast4\ashShell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}

061 C:\WINDOWS\system32\ShellExt\IceGUI.dll (Raphaël MOUNIER) {FEB7DAE0-E111-11D0-BFD7-444553540000}

062 C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\PDFShell.dll (Adobe Systems, Inc.) {F9DB5320-233E-11D1-9F84-707F02C10627}

069 C:\WINDOWS\system32\mdimon.dll (Microsoft Corporation)

100 Search Page HKCU : &http://home.microsoft.com/intl/br/access/allinone.asp

100 Start Page HKCU : http://www.uol.com.br/

105 E&xportar para o Microsoft Excel : res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

170 {1def7ec0-f2a6-11dc-877c-00115b6bb332} : E:\wdugva.exe

170 {bec5134c-fdd6-11dc-8792-00115b6bb332} : RavMon.exe

173 * C:\Arquivos de programas\Arquivos comuns\Autodesk shared\dwf common\DWFShellExtension.dll (Autodesk, Inc.) {6C18531F-CA85-45F7-8278-FF33CF0A5964}

173 * C:\Arquivos de programas\Alwil Software\Avast4\ashShell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}

173 C:\WINDOWS\system32\ShellExt\IceGUI.dll (Raphaël MOUNIER) {FEB7DAE0-E111-11D0-BFD7-444553540000}

221 * C:\Arquivos de programas\Arquivos comuns\Autodesk shared\dwf common\DWFShellExtension.dll (Autodesk, Inc.) {6C18531F-CA85-45F7-8278-FF33CF0A5964}

221 * C:\Arquivos de programas\Alwil Software\Avast4\ashShell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}

221 C:\WINDOWS\system32\ShellExt\IceGUI.dll (Raphaël MOUNIER) {FEB7DAE0-E111-11D0-BFD7-444553540000}

225 * C:\Arquivos de programas\Alwil Software\Avast4\ashShell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}

225 * C:\Arquivos de programas\Alwil Software\Avast4\ashShell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}

227 C:\WINDOWS\system32\ShellExt\IceGUI.dll (Raphaël MOUNIER) {FEB7DAE0-E111-11D0-BFD7-444553540000}

231 C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\PDFShell.dll (Adobe Systems, Inc.) PDF Column Info

241 * C:\WINDOWS\system32\AcSignIcon.dll (Autodesk) {36A21736-36C2-4C11-8ACB-D4136F2B57BD}

 

Missing files

-------------

011 C:\WINDOWS\system32\drivers\Abiosdsk.sys

011 C:\WINDOWS\system32\drivers\abp480n5.sys

011 C:\WINDOWS\system32\drivers\adpu160m.sys

011 C:\WINDOWS\system32\drivers\Aha154x.sys

011 C:\WINDOWS\system32\drivers\aic78u2.sys

011 C:\WINDOWS\system32\drivers\aic78xx.sys

011 C:\WINDOWS\system32\drivers\AliIde.sys

011 C:\WINDOWS\system32\drivers\amsint.sys

011 C:\WINDOWS\system32\drivers\asc.sys

011 C:\WINDOWS\system32\drivers\asc3350p.sys

011 C:\WINDOWS\system32\drivers\asc3550.sys

011 C:\WINDOWS\system32\drivers\Atdisk.sys

011 C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\catchme.sys

011 C:\WINDOWS\system32\drivers\cd20xrnt.sys

011 C:\WINDOWS\system32\drivers\Changer.sys

011 C:\WINDOWS\system32\drivers\CmdIde.sys

011 C:\WINDOWS\system32\drivers\Cpqarray.sys

011 C:\WINDOWS\system32\drivers\dac2w2k.sys

011 C:\WINDOWS\system32\drivers\dac960nt.sys

011 C:\WINDOWS\system32\drivers\dpti2o.sys

011 C:\WINDOWS\system32\drivers\hpn.sys

011 C:\WINDOWS\system32\drivers\i2omgmt.sys

011 C:\WINDOWS\system32\drivers\i2omp.sys

011 C:\WINDOWS\system32\drivers\ini910u.sys

011 C:\WINDOWS\system32\drivers\IntelIde.sys

011 C:\WINDOWS\system32\drivers\lbrtfdc.sys

011 C:\WINDOWS\system32\drivers\mraid35x.sys

011 C:\WINDOWS\system32\drivers\PCIDump.sys

011 C:\WINDOWS\system32\drivers\PDCOMP.sys

011 C:\WINDOWS\system32\drivers\PDFRAME.sys

011 C:\WINDOWS\system32\drivers\PDRELI.sys

011 C:\WINDOWS\system32\drivers\PDRFRAME.sys

011 C:\WINDOWS\system32\drivers\perc2.sys

011 C:\WINDOWS\system32\drivers\perc2hib.sys

011 C:\WINDOWS\system32\drivers\ql1080.sys

011 C:\WINDOWS\system32\drivers\Ql10wnt.sys

011 C:\WINDOWS\system32\drivers\ql12160.sys

011 C:\WINDOWS\system32\drivers\ql1240.sys

011 C:\WINDOWS\system32\drivers\ql1280.sys

011 C:\WINDOWS\system32\drivers\Simbad.sys

011 C:\WINDOWS\system32\drivers\Sparrow.sys

011 C:\WINDOWS\system32\drivers\sym_hi.sys

011 C:\WINDOWS\system32\drivers\sym_u3.sys

011 C:\WINDOWS\system32\drivers\symc810.sys

011 C:\WINDOWS\system32\drivers\symc8xx.sys

011 C:\WINDOWS\system32\drivers\TosIde.sys

011 C:\WINDOWS\system32\drivers\ultra.sys

011 C:\WINDOWS\system32\drivers\ViaIde.sys

011 C:\WINDOWS\system32\drivers\WDICA.sys

052 C:\ARQUIV~1\Spy\SPYBOT~1\SDHelper.dll

061 deskpan.dll

067

214

223 C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamext.dll

225 C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamext.dll

225 C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamext.dll

 

Abrax

[Chillaca 0]

Parece que agora deu certo, o endereço que obtive é esse:

 

http://www.runscanner.net/report.aspx?repo...d3-9eb93b7130b9

 

Grato

Abraços

[DigRam 144]

Bom Dia! Chillaca

 

<@> Execute,novamente,o RunScanner e remova estes ficheiros!

 

170 Explorer MountPoints

 

{1def7ec0-f2a6-11dc-877c-00115b6bb332} E:\wdugva.exe

{bec5134c-fdd6-11dc-8792-00115b6bb332} RavMon.exe

 

<@> Clique,com o direito do Mouse,nas linhas destacadas em vermelho.

<@> Clique em: Mark/unmark item Space

<@> Clique na aba: Item fixer --> Fix selected items.

<@> Na mensagem,dê o OK.

<@> Em Information,confirme!

<@> Clique em Unrated items e Malware hunting,para confirmar-mos as remoções efetuadas.

<@> Caso deseje uma limpeza mais profunda,vá em Extra stuff e remova todas as linhas destacadas em vermelho.

-------------------------

<!> Amigo! Voçê já está podendo executar o ComboFix?

<!> Caso possa,poste o seu relatório. ( ComboFix.txt )

 

Abraços!

[Chillaca 0]

Boa tarde DigRam,

 

Rodei o Runscanner e deletei os arquivos mencionados e também fiz uma limpeza mais profunda.

Rodei o Combofix e aqui vai o relatório.

Valeu!

 

ComboFix 08-08-28.06 - Desq 2008-08-29 13:31:18.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.37 [GMT -3:00]

Executando de: C:\Arquivos de programas\Programas Antí-Virus\ComboFix.exe

* Criado um novo ponto de restauro

 

ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\Desq\Dados de aplicativos\macromedia\Flash Player\#SharedObjects\35RZMZD9\bin.clearspring.com

C:\Documents and Settings\Desq\Dados de aplicativos\macromedia\Flash Player\#SharedObjects\35RZMZD9\bin.clearspring.com\clearspring.sol

C:\Documents and Settings\Desq\Dados de aplicativos\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com

C:\Documents and Settings\Desq\Dados de aplicativos\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol

C:\WINDOWS\system32\vsdatant.sys

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_TDSSSERV

-------\Legacy_VSDATANT

-------\Service_tdssserv

-------\Service_vsdatant

 

 

((((((((((((((((((((((( Ficheiros criados de 2008-07-28 to 2008-08-29 ))))))))))))))))))))))))))))))))

.

 

2008-08-27 22:18 . 2008-08-27 22:18 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-08-27 22:18 . 2008-08-27 22:18 1,409 --a------ C:\WINDOWS\QTFont.for

2008-08-27 11:51 . 2008-08-27 11:52 1,791,702 --a------ C:\runscanner.zip

2008-08-27 10:35 . 2008-08-27 10:35 <DIR> d-------- C:\Arquivos de programas\ZoneAlarmSB

2008-08-27 10:32 . 2008-08-27 10:32 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\MailFrontier

2008-08-27 10:32 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe

2008-08-27 10:32 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll

2008-08-27 10:32 . 2008-08-27 10:35 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat

2008-08-27 10:31 . 2008-08-27 10:31 <DIR> d-------- C:\Arquivos de programas\Zone Labs

2008-08-27 10:30 . 2008-08-29 09:52 352,918 --a------ C:\WINDOWS\system32\vsconfig.xml

2008-08-27 10:29 . 2008-08-29 14:14 <DIR> d-------- C:\WINDOWS\Internet Logs

2008-08-27 10:19 . 2008-08-29 13:28 <DIR> d-------- C:\Arquivos de programas\Programas Ant¡-Virus

2008-08-27 10:14 . 2008-08-27 10:14 210,416 --a------ C:\Arquivos de programas\zaSetup_en.exe

2008-08-27 09:45 . 2008-08-29 14:16 1,908,768 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2008-08-27 09:45 . 2008-08-29 13:40 23,372 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx

2008-08-27 08:58 . 2008-08-27 08:58 <DIR> d-------- C:\Documents and Settings\Desq\Dados de aplicativos\Malwarebytes

2008-08-27 08:58 . 2008-08-27 08:58 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Malwarebytes

2008-08-27 08:58 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-08-27 08:58 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-08-26 22:00 . 2008-08-26 22:00 2,870 --a------ C:\WINDOWS\system32\tmp.reg

2008-08-26 21:59 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe

2008-08-26 21:59 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2008-08-26 21:59 . 2008-08-26 20:19 88,576 --a------ C:\WINDOWS\system32\AntiXPVSTFix.exe

2008-08-26 21:59 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe

2008-08-26 21:59 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe

2008-08-26 21:59 . 2008-08-14 21:52 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe

2008-08-26 21:59 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\system32\404Fix.exe

2008-08-26 21:59 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe

2008-08-26 21:59 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2008-08-26 21:59 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe

2008-08-26 21:54 . 2008-08-26 22:03 <DIR> d-------- C:\SmitfraudFix

2008-08-26 17:03 . 2008-03-05 11:41 148,496 --a------ C:\WINDOWS\system32\drivers\68804311.sys

2008-08-26 12:48 . 2008-08-26 12:48 <DIR> d-------- C:\Documents and Settings\Administrador\Dados de aplicativos\Corel

2008-08-26 12:46 . 2008-08-26 12:46 <DIR> d-------- C:\!KillBox

2008-08-26 12:32 . 2008-08-26 14:55 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2008-08-26 12:30 . 2008-01-26 14:35 <DIR> d--h----- C:\Documents and Settings\Administrador\Modelos

2008-08-26 12:30 . 2008-01-26 12:29 <DIR> d-------- C:\Documents and Settings\Administrador\Meus documentos

2008-08-26 12:30 . 2008-01-26 12:29 <DIR> dr------- C:\Documents and Settings\Administrador\Menu Iniciar

2008-08-26 12:30 . 2008-01-26 12:29 <DIR> d-------- C:\Documents and Settings\Administrador\Favoritos

2008-08-26 12:30 . 2008-08-26 12:48 <DIR> dr-h----- C:\Documents and Settings\Administrador\Dados de aplicativos

2008-08-26 12:30 . 2008-08-29 13:36 <DIR> d--h----- C:\Documents and Settings\Administrador\Configura‡äes locais

2008-08-26 12:30 . 2008-01-26 12:29 <DIR> d--h----- C:\Documents and Settings\Administrador\Ambiente de rede

2008-08-26 12:30 . 2008-01-26 12:29 <DIR> d--h----- C:\Documents and Settings\Administrador\Ambiente de impressÆo

2008-08-26 12:30 . 2008-08-26 14:39 <DIR> d-------- C:\Documents and Settings\Administrador

2008-08-11 13:35 . 2008-08-11 13:35 736 --a------ C:\Arquivos de programas\contato_OutlookExpress(2).reg

2008-08-11 12:20 . 2008-08-11 12:20 736 --a------ C:\Arquivos de programas\contato_OutlookExpress.reg

2008-08-04 11:11 . 2008-06-23 13:29 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll

2008-08-04 11:11 . 2007-04-17 06:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat

2008-08-04 11:11 . 2007-03-08 02:12 1,024,000 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui

2008-08-04 11:11 . 2008-06-23 13:29 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll

2008-08-04 11:11 . 2008-06-23 13:29 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll

2008-08-04 11:11 . 2008-06-23 13:29 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll

2008-08-04 11:11 . 2008-06-23 13:29 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll

2008-08-04 11:11 . 2008-06-23 13:29 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll

2008-08-04 11:11 . 2008-06-23 06:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-08-02 19:48 . 2008-08-04 23:50 <DIR> d-------- C:\WINDOWS\system32\pt-br

2008-08-01 14:51 . 2004-08-04 00:45 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll

2008-08-01 14:51 . 2001-09-05 23:50 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll

 

.

((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-29 17:14 114,688 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip

2008-08-29 16:28 --------- d-----w C:\Arquivos de programas\Programas Antí-Virus

2008-08-26 14:43 --------- d-----w C:\Arquivos de programas\eMule

2008-08-25 20:20 --------- d-----w C:\Documents and Settings\Desq\Dados de aplicativos\Skype

2008-08-25 19:01 --------- d-----w C:\Documents and Settings\Desq\Dados de aplicativos\skypePM

2008-08-08 18:57 --------- d-----w C:\Arquivos de programas\LG Electronics

2008-07-19 01:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll

2008-07-19 01:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe

2008-07-19 01:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll

2008-07-19 01:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll

2008-07-19 01:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll

2008-07-19 01:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll

2008-07-19 01:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll

2008-07-19 01:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll

2008-07-09 12:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll

2008-07-07 20:31 253,952 ----a-w C:\WINDOWS\system32\es.dll

2008-07-03 21:12 --------- d-----w C:\Documents and Settings\Desq\Dados de aplicativos\Media Player Classic

2008-07-01 13:49 --------- d-----w C:\Documents and Settings\Desq\Dados de aplicativos\TeamViewer

2008-07-01 13:49 --------- d-----w C:\Arquivos de programas\TeamViewer3

2008-07-01 13:47 1,477,392 ----a-w C:\Arquivos de programas\TeamViewer_Setup.exe

2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll

2008-06-23 16:29 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-06-20 17:41 247,808 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-06-02 15:09 2,630,176 ----a-w C:\Arquivos de programas\DWG2000.zip

2008-02-15 18:44 86,422 ----a-w C:\Arquivos de programas\DSL500B.zip

2008-01-29 20:09 32 ----a-w C:\Documents and Settings\All Users\Dados de aplicativos\ezsid.dat

2006-10-23 12:12 13,741,589 ----a-w C:\Arquivos de programas\MX800_SYNC_20060707.zip

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

"msnmsgr"="C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54 5674352]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50 155648]

"QuickTime Task"="C:\Arquivos de programas\QuickTime\QTTask.exe" [2008-01-10 14:27 385024]

"HP Software Update"="C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 12:38 49152]

"HP Component Manager"="C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 14:18 241664]

"Adobe Reader Speed Launcher"="C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

"is-AVCTE"="C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-AVCTE\is-AVCTE.exe" [2008-06-07 15:26 217088]

"ZoneAlarm Client"="C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]

"SiSPower"="SiSPower.dll" [2005-01-04 05:54 49152 C:\WINDOWS\system32\SiSPower.dll]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:45 15360]

 

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\

AutoCAD Startup Accelerator.lnk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\acstart17.exe [2006-03-05 09:43:54 11000]

HP Digital Imaging Monitor.lnk - C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 21:31:38 241664]

Inicializa‡Æo r pida do HP Image Zone.lnk - C:\Arquivos de programas\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 22:06:36 53248]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{A3717295-941D-416F-9384-ED1736729F1C}"= "C:\Arquivos de programas\Scpad\scpLIB.dll" [2007-03-27 00:29 128512]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"CompIBBrd"= {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll [2007-03-27 00:29 128512]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2007-01-19 11:54 5674352 C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

"C:\\Arquivos de programas\\TeamViewer3\\TeamViewer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

 

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 11:35]

R1 is-AVCTEdrv;is-AVCTEdrv;C:\WINDOWS\system32\drivers\68804311.sys [2008-03-05 11:41]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 11:37]

S2 is-AVCTE;is-AVCTE;C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-AVCTE\is-AVCTE.exe [2008-06-07 15:26]

.

.

------- Ccan Suplementar -------

.

FireFox -: Profile - C:\Documents and Settings\Desq\Dados de aplicativos\Mozilla\Firefox\Profiles\44e7yuey.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - www.uol.com.br

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-29 14:11:55

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializ veis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- DLLs Carregadas Sob os Processos em Execu‡ao ---------------------

 

PROCESSOS: C:\WINDOWS\explorer.exe

-> ?:\WINDOWS\system32\WS2HELP.dll

.

------------------------ Outros Processos em Execu‡Æo ------------------------

.

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Arquivos de programas\HP\Digital Imaging\bin\hpqgalry.exe

.

**************************************************************************

.

Tempo para conclusÆo: 2008-08-29 14:21:52 - Maquina reiniciou

ComboFix-quarantined-files.txt 2008-08-29 17:21:36

 

Pre-Run: 11 pasta(s) 24,216,068,096 bytes disponíveis

Post-Run: 15 pasta(s) 24,332,529,664 bytes dispon¡veis

 

195 --- E O F --- 2008-08-26 14:38:23

 

 

Abraços

[DigRam 144]

Boa Tarde! Chillaca

 

<!> Reabilite seus programas de proteção.

------------------------

<@> Vá em Iniciar --> Executar --> Digite: combofix.exe /u --> Clique: OK

<@> Abrir-se-á,a seguinte janela: ( Abrir arquivo - Aviso de Segurança )

<@> Clique em Executar --> Aguarde!

<@> Surgirá,finalmente,a mensagem: ComboFix desinstalado!

<@> Caso encontre,apague: C:\ComboFix <-- A pasta! + C:\ComboFix.txt <-- Relatório!

------------------------

<@> Baixe: < CCleaner >

<@> Salve-o no Desktop!

<@> Com a opção < Limpador >,já selecionada,clique em Analisar.

<@> Aguarde o progresso!

<@> Terminando,clique em Executar Cleaner.

<@> Na janela que surgir,dê o Ok.

<@> Aguarde o progresso!

<@> Selecionando a opção Registro,clique em Procurar erros.

<@> Terminando,clique em Corrigir erros selecionados...

<@> Na pergunta,clique em Sim!

<@> Nomeie os backups e clique em Salvar.

<@> Na janela que aparecer,clique em: Corrigir todos os erros selecionados

<@> Clique em Ok --> Fechar.

-------------------------

<!> Os logs estão limpos!

<!> Tudo Ok?

 

Abraços!

[Chillaca 0]

Tudo mais que ótimo!!! Grato por toda ajuda e paciência!!

Se precisar de algo estamos aí!

Valeu

[DigRam 144]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o Tópico seja reaberto é preciso enviar uma Mensagem Privada,para um Moderador,com um Link para o Tópico.