[Arquivado] Análise hijackthis

[MR_MG 0]

Boa tarde senhores(as).

 

Gostaria que o meu log fosse avaliado. Toda vez que inicio o internet explorer estão abrindo mais duas páginas (banners). Gostaria de saber sobre essa e outras possíveis infecções.

 

Obs: quando utilizo o Mozila o problema não ocorre, somente com internet explorer.

 

Segue log abaixo:

 

Logfile of HijackThis v1.99.1

Scan saved at 16:41:54, on 29/9/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\setrysvc.exe

C:\WINDOWS\System32\semwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\atievxx.exe

C:\Arquivos de programas\IVT Corporation\BlueSoleil\BTNtService.exe

C:\Arquivos de programas\Eset\nod32krn.exe

C:\WINDOWS\lsas.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\VMware\VMware Workstation\vmware-authd.exe

C:\Arquivos de programas\Eset\nod32kui.exe

C:\WINDOWS\system32\vmnat.exe

C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\vmnetdhcp.exe

C:\WINDOWS\system32\semwltray.exe

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\Arquivos de programas\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe

C:\Arquivos de programas\Windows Live\Messenger\usnsvc.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Arquivos de programas\WinRAR\WinRAR.exe

C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\Rar$EX00.108\HijackThis.exe

 

 

O2 - BHO: testCPV6 - {15421b84-3488-49a7-ad18-cbf84a3efaf6} - C:\Arquivos de programas\Webtools\webtools.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\Arquivos de programas\Real\RealOne Player\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: ActivationManager module - {86a44ef7-78fc-4e18-a564-b18f806f7f56} - (no file)

O2 - BHO: (no name) - {9aa2f14f-e956-44b8-8694-a5b615cdf341} - (no file)

O4 - HKLM\..\Run: [nod32kui] "C:\Arquivos de programas\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [GCXX-Manager-Class] "C:\Arquivos de programas\Sony Ericsson\Wireless Manager\GCXXManager.exe" -startup

O4 - HKLM\..\Run: [sony Ericsson Wireless Manager UI] C:\WINDOWS\system32\semwltray

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [DWQueuedReporting] "C:\ARQUIV~1\ARQUIV~1\MICROS~1\DW\dwtrig20.exe" -t

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\arquivos de programas\bonjour\mdnsnsp.dll

O11 - Options group: [java_sun] Java (Sun)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O20 - Winlogon Notify: jsopgl - jsopgl.dll (file missing)

O23 - Service: Dispositivo Celular da Apple (apple mobile device) - Apple Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Arquivos de programas\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Bonjour Service (bonjour service) - Apple Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service (ipod service) - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Arquivos de programas\Eset\nod32krn.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

O23 - Service: ServiceOMC - Alcatel - C:\WINDOWS\system32\ServiceOMC.exe

O23 - Service: Sony Ericsson Wireless LAN Tray Service (setrysvc) - Unknown owner - C:\WINDOWS\System32\setrysvc.exe

O23 - Service: VMware Authorization Service (vmauthdservice) - VMware, Inc. - C:\Arquivos de programas\VMware\VMware Workstation\vmware-authd.exe

O23 - Service: VMware DHCP Service (vmnetdhcp) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe

O23 - Service: VMware NAT Service (vmware nat service) - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

 

Desde já agradeço!

[PedroN 1]

- Baixe: < ComboFix.exe >

- Salve-o no Desktop!

- Desabilite as proteções residente de: antivírus,antispywares e firewall. ( Menos o do Windows! )

- Feche todas as janelas e execute a ferramenta!

 

Caso aconteça a notificação de: Aplicativo Win32 inválido,delete a ferramenta e faça,novamente,o download.

Salve-a no desktop,renomeada como: Kombo.exe

Ps: Nomeie durante o salvamento,e não após salvá-la!

Ps: Caso ocorra alguma mensagem de erro,rode o ComboFix.exe em Modo de Segurança.

Ps: Evite executar,voluntariamente,esta ferramenta!Siga,àcima,todas as recomendações propostas.

- Abrirá a janela Auto Scan. Aguarde!

- Digite a opção para continuar! >> Enter

- Aguarde a conclusão!

- Durante o scan,evite manusear o mouse ou teclado! <-- Importante!

- Para parar ou sair do ComboFix,tecle "N".

----------------------

- Terminando,poste o relatório: C:\ComboFix.txt

[MR_MG 0]

ComboFix 08-09-28.05 - Administrador 2008-09-30 9:13:20.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.133 [GMT -3:00]

Executando de: C:\Documents and Settings\Administrador\Desktop\ComboFix.exe

* Criado um novo ponto de restauro

* Resident AV is active

 

 

ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Arquivos de programas\ActivationManager

C:\Arquivos de programas\ActivationManager\Uninstall.exe

C:\Arquivos de programas\ADSTechnology

C:\Arquivos de programas\ADSTechnology\ADSTechnology.dll

C:\Arquivos de programas\Sakora

C:\Arquivos de programas\Sakora\Sakora.exe

C:\Arquivos de programas\Temporary

C:\WINDOWS\b156.exe

C:\WINDOWS\file.bat

C:\WINDOWS\msacm32.drv

C:\WINDOWS\services.exe

C:\WINDOWS\system32\mdm.exe

 

.

((((((((((((((((((((((( Ficheiros criados de 2008-08-28 to 2008-09-30 ))))))))))))))))))))))))))))))))

.

 

2080-01-04 00:16 . 2008-01-22 19:11 308,786 --a------ C:\Encerramento do Windows XP.wav

2080-01-04 00:11 . 2008-01-22 19:06 242,630 --a------ C:\Inicialização do Windows XP.wav

2008-09-26 15:06 . 2008-09-26 15:06 268 --ah----- C:\sqmdata00.sqm

2008-09-26 15:06 . 2008-09-26 15:06 244 --ah----- C:\sqmnoopt00.sqm

2008-09-12 08:26 . 2001-08-17 21:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS

2008-09-12 08:26 . 2001-08-17 21:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys

2008-09-04 15:57 . 2004-12-15 10:53 <DIR> d-------- C:\cdvgtfr

2008-09-01 15:45 . 2008-09-01 15:58 664 --a------ C:\WINDOWS\system32\d3d9caps.dat

2008-08-27 17:07 . 2008-08-27 17:07 <DIR> d-------- C:\OPS_R8.0

2008-08-26 16:03 . 2008-08-26 16:04 <DIR> d-------- C:\backup30-03

2008-08-26 14:21 . 2008-08-26 14:21 <DIR> d-------- C:\Arquivos de programas\Super Yahoo Messenger Archive Decoder

2008-08-26 14:11 . 2008-08-26 14:24 <DIR> d-------- C:\Arquivos de programas\MYMA Decoder and Viewer

2008-08-20 15:36 . 2008-09-23 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2008-08-20 15:36 . 2008-08-20 15:37 <DIR> d-------- C:\Arquivos de programas\Spybot - Search & Destroy

2008-08-13 15:17 . 2008-08-13 15:17 <DIR> d-------- C:\Documents and Settings\Administrador\Dados de aplicativos\Apple Computer

2008-08-13 15:16 . 2008-08-13 15:16 <DIR> d-------- C:\Arquivos de programas\iTunes

2008-08-13 15:16 . 2008-08-13 15:16 <DIR> d-------- C:\Arquivos de programas\iPod

2008-08-13 15:16 . 2008-08-13 15:16 <DIR> d-------- C:\Arquivos de programas\Bonjour

2008-08-13 15:14 . 2008-08-13 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Apple Computer

2008-08-13 15:14 . 2008-08-13 15:15 <DIR> d-------- C:\Arquivos de programas\QuickTime

2008-08-13 15:13 . 2008-08-13 15:13 <DIR> d-------- C:\Arquivos de programas\Apple Software Update

2008-08-13 15:12 . 2008-08-13 15:12 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Apple

2008-08-13 15:12 . 2008-08-13 15:12 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Apple

2008-08-12 15:21 . 2008-08-13 09:00 <DIR> d-------- C:\Documents and Settings\Administrador\Dados de aplicativos\SlipStream

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-18 12:33 --------- d-----w C:\Documents and Settings\Administrador\Dados de aplicativos\VMware

2008-09-15 18:50 0 ----a-w C:\WINDOWS\system32\drivers\674ab9b1.sys

2008-09-04 18:50 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information

2008-09-04 18:50 --------- d-----w C:\Arquivos de programas\Alcatel

2008-08-27 12:59 --------- d-----w C:\Arquivos de programas\Megacubo

2008-08-08 20:54 --------- d-----w C:\Arquivos de programas\FileZillaPortable

2008-07-29 23:55 --------- d-----w C:\Arquivos de programas\VMware

2008-07-29 22:44 --------- d-----w C:\Arquivos de programas\NitroPC

2008-07-27 17:33 7,617 ----a-w C:\WINDOWS\system32\fstmpppz.exe

2008-07-02 00:55 6,144 ----a-w C:\WINDOWS\system32\nscd.exe

2008-06-29 22:57 371,158 --sha-r C:\WINDOWS\lsas.exe

2008-06-27 14:30 155,995 ----a-w C:\WINDOWS\java\Packages\N7PRRNRN.ZIP

2008-06-20 17:41 247,808 ----a-w C:\WINDOWS\system32\mswsock.dll

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias & legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

"msnmsgr"="C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2007-11-07 3739672]

"SpybotSD TeaTimer"="C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

"DWQueuedReporting"="C:\ARQUIV~1\ARQUIV~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sony Ericsson Wireless Manager UI"="C:\WINDOWS\system32\semwltray" [X]

"nod32kui"="C:\Arquivos de programas\Eset\nod32kui.exe" [2008-05-08 949376]

"TkBellExe"="C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" [1980-01-04 185896]

"GCXX-Manager-Class"="C:\Arquivos de programas\Sony Ericsson\Wireless Manager\GCXXManager.exe" [2007-09-05 925696]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"AppleSyncNotifier"="C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]

"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2008-05-27 413696]

"iTunesHelper"="C:\Arquivos de programas\iTunes\iTunesHelper.exe" [2008-07-30 289064]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]

"lsas"="C:\WINDOWS\lsas.exe" [2008-06-29 371158]

 

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\

Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="userinit.exe,C:\\WINDOWS\\lsas.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.divxa32"= msaud32_divx.acm

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wiq17.sys]

@="Driver"

 

[HKLM\~\startupfolder\c:^documents and settings^all users^menu iniciar^programas^inicializar^bluesoleil.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\BlueSoleil.lnk

backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

 

[HKLM\~\startupfolder\c:^documents and settings^all users^menu iniciar^programas^inicializar^sjphone.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\SJphone.lnk

backup=C:\WINDOWS\pss\SJphone.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

--a------ 2007-11-07 15:34 3739672 C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nitropc]

--a------ 2007-11-15 14:03 1975824 C:\Arquivos de programas\NitroPC\NitroPC.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\PCXTools\\OMC\\R610_6.1d\\bin\\omc.exe"=

"C:\\Arquivos de programas\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

"C:\\R 8.0 System Documentation\\Apache\\Apache.exe"=

"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"C:\\WINDOWS\\system32\\ftp.exe"=

"C:\\Arquivos de programas\\Alcatel\\IpAttendantSoftPhone\\IpAttendantSoftPhone.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=

"C:\\Arquivos de programas\\iTunes\\iTunes.exe"=

"C:\\Arquivos de programas\\Megacubo\\megacubo.exe"=

"C:\\Arquivos de programas\\Megacubo\\megasrv.exe"=

 

R2 setrysvc;Sony Ericsson Wireless LAN Tray Service;C:\WINDOWS\System32\setrysvc.exe C:\WINDOWS\System32\semwltry.exe [ ]

R3 Maestro;ESS Maestro2E Audio Driver (WDM);C:\WINDOWS\system32\drivers\essm2e.sys [2004-08-03 137088]

S0 wiq17;wiq17;C:\WINDOWS\system32\Drivers\Wiq17.sys [ ]

S1 674ab9b1;674ab9b1;C:\WINDOWS\system32\drivers\674ab9b1.sys [2008-09-15 0]

S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 34064]

S3 PcCGoCls;PcCGoCls;C:\WINDOWS\system32\Drivers\PcCGoCls.sys [ ]

S3 SEM43XX;Controlador da Placa de Rede Broadcom 802.11;C:\WINDOWS\system32\DRIVERS\semwl5.sys [2007-09-05 604928]

S3 SEMWModem;Sony Ericsson SEMWModem;C:\WINDOWS\system32\DRIVERS\GCXX.sys [2007-05-14 108928]

S3 SEMWWNIC;Sony Ericsson SEMWWNIC;C:\WINDOWS\system32\DRIVERS\GCXXNet.sys [2007-05-10 53248]

S3 ServiceOMC;ServiceOMC;C:\WINDOWS\system32\ServiceOMC.exe [2007-09-18 73728]

S3 Sony_EricssonWWSC;Sony Ericsson SIM Card Reader;C:\WINDOWS\system32\DRIVERS\GCXXSC.sys [2007-05-10 19328]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ab54160-5609-11bd-a481-101111111111}]

\shell\autorun\command - D:\sysnt.exe

\shell\explore\command - D:\sysnt.exe

\shell\open\command - D:\sysnt.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ab54161-5609-11bd-a481-101111111111}]

\shell\autorun\command - E:\sysnt.exe

\shell\explore\command - E:\sysnt.exe

\shell\open\command - E:\sysnt.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c227f103-57e5-11dd-a47b-101111111111}]

\shell\autorun\command - D:\sysnt.exe

\shell\explore\command - D:\sysnt.exe

\shell\open\command - D:\sysnt.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c227f104-57e5-11dd-a47b-101111111111}]

\shell\autorun\command - E:\sysnt.exe

\shell\explore\command - E:\sysnt.exe

\shell\open\command - E:\sysnt.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ebbd7720-5607-11bd-a3f7-00d059126025}]

\Shell\AutoRun\command - lqixwc.exe

\Shell\explore\Command - lqixwc.exe

\Shell\open\Command - lqixwc.exe

 

*Newly Created Service* - CATCHME

*Newly Created Service* - PROCEXP90

.

- - - - ORFAOS REMOVIDOS - - - -

 

HKLM-Explorer_Run-cmon - C:\WINDOWS\system32\sns1.exe

Notify-jsopgl - jsopgl.dll

MSConfigStartUp-sakora - C:\Arquivos de programas\Sakora\Sakora.exe

 

 

.

------- Ccan Suplementar -------

.

FireFox -: Profile - C:\Documents and Settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\o8g52fk7.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://mail.olitel.com.br

FF -: plugin - C:\Arquivos de programas\iTunes\Mozilla Plugins\npitunes.dll

FF -: plugin - C:\Arquivos de programas\Real\RealOne Player\Netscape6\nppl3260.dll

FF -: plugin - C:\Arquivos de programas\Real\RealOne Player\Netscape6\nprjplug.dll

FF -: plugin - C:\Arquivos de programas\Real\RealOne Player\Netscape6\nprpjplug.dll

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-30 09:16:52

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- DLLs Carregadas Sob os Processos em Execuçao ---------------------

 

PROCESSOS: C:\WINDOWS\system32\lsass.exe

-> C:\Arquivos de programas\Eset\pr_imon.dll

.

Tempo para conclusão: 2008-09-30 9:18:29

ComboFix-quarantined-files.txt 2008-09-30 12:18:24

 

Pre-Run: 14 pasta(s) 26.108.010.496 bytes disponíveis

Post-Run: 16 pasta(s) 26,106,855,424 bytes disponíveis

 

187 --- E O F --- 2008-07-25 23:56:55

[MR_MG 0]

Já adianto que aparentemente o problema do internet explorer foi solucionado.

[PedroN 1]

- Faça o download do Malwarebytes Anti-Malware

http://www.besttechie.net/tools/mbam-setup.exe

 

◘ Faça a instalação dando um duplo clique em "mbam-setup.exe";

◘ Marque "Atualizar Malwarebytes Anti-Malware" e "Executar Malwarebytes Anti-Malware", e clique em concluir;

◘ Marque "Verificação Rápida" e depois clique em Verificar;

◘ Quando o scan terminar, clique em Ok e em "Mostrar Resultados" para ver o log;

◘ Se algo for detectado, veja se tudo está marcado e clique em "Remover";

◘ O log é automaticamente gravado e pode ser consultado clicando em "Logs" do menu principal;

◘ Copie e cole o conteúdo desse log na sua próxima resposta.

 

- Gere novo log do HijackThis e cole na sua resposta.

[MR_MG 0]

Malwarebytes' Anti-Malware 1.27

Versão do banco de dados: 1127

Windows 5.1.2600 Service Pack 2

 

30/9/2008 14:55:57

mbam-log-2008-09-30 (14-55-57).txt

 

Tipo de Verificação: Rápida

Objetos verificados: 40587

Tempo decorrido: 7 minute(s), 44 second(s)

 

Processos da Memória infectados: 1

Módulos de Memória Infectados: 0

Chaves do Registro infectadas: 6

Valores do Registro infectados: 1

Ítens do Registro infectados: 1

Pastas infectadas: 1

Arquivos infectados: 4

 

Processos da Memória infectados:

C:\WINDOWS\lsas.exe (Backdoor.Bot) -> Unloaded process successfully.

 

Módulos de Memória Infectados:

(Nenhum ítem malicioso foi detectado)

 

Chaves do Registro infectadas:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{86a44ef7-78fc-4e18-a564-b18f806f7f56} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Webtools (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\secdrv (Rootkit.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\secdrv (Rootkit.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\secdrv (Rootkit.Agent) -> Quarantined and deleted successfully.

 

Valores do Registro infectados:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lsas (Backdoor.Bot) -> Quarantined and deleted successfully.

 

Ítens do Registro infectados:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\lsas.exe -> Quarantined and deleted successfully.

 

Pastas infectadas:

C:\Arquivos de programas\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.

 

Arquivos infectados:

C:\Arquivos de programas\Webtools\webtools.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\lsas.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\secdrv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrador\results.txt (Malware.Trace) -> Quarantined and deleted successfully.

 

 

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 09:08:11, on 1/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\setrysvc.exe

C:\WINDOWS\System32\semwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\atievxx.exe

C:\Arquivos de programas\IVT Corporation\BlueSoleil\BTNtService.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\Arquivos de programas\Eset\nod32krn.exe

C:\Arquivos de programas\VMware\VMware Workstation\vmware-authd.exe

C:\WINDOWS\system32\vmnat.exe

C:\WINDOWS\system32\vmnetdhcp.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Arquivos de programas\Eset\nod32kui.exe

C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\semwltray.exe

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\Arquivos de programas\iPod\bin\iPodService.exe

C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Arquivos de programas\WinRAR\WinRAR.exe

C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\Rar$EX00.050\HijackThis.exe

 

 

F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\lsas.exe

O1 - Hosts: 153.1.1.3 olitel0

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\Arquivos de programas\Real\RealOne Player\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {9aa2f14f-e956-44b8-8694-a5b615cdf341} - (no file)

O4 - HKLM\..\Run: [nod32kui] "C:\Arquivos de programas\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [GCXX-Manager-Class] "C:\Arquivos de programas\Sony Ericsson\Wireless Manager\GCXXManager.exe" -startup

O4 - HKLM\..\Run: [sony Ericsson Wireless Manager UI] C:\WINDOWS\system32\semwltray

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [DWQueuedReporting] "C:\ARQUIV~1\ARQUIV~1\MICROS~1\DW\dwtrig20.exe" -t

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\arquivos de programas\bonjour\mdnsnsp.dll

O11 - Options group: [java_sun] Java (Sun)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O20 - Winlogon Notify: jsopgl - C:\WINDOWS\

O23 - Service: Dispositivo Celular da Apple (apple mobile device) - Apple Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Arquivos de programas\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Bonjour Service (bonjour service) - Apple Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service (ipod service) - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Arquivos de programas\Eset\nod32krn.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

O23 - Service: ServiceOMC - Alcatel - C:\WINDOWS\system32\ServiceOMC.exe

O23 - Service: Sony Ericsson Wireless LAN Tray Service (setrysvc) - Unknown owner - C:\WINDOWS\System32\setrysvc.exe

O23 - Service: VMware Authorization Service (vmauthdservice) - VMware, Inc. - C:\Arquivos de programas\VMware\VMware Workstation\vmware-authd.exe

O23 - Service: VMware DHCP Service (vmnetdhcp) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe

O23 - Service: VMware NAT Service (vmware nat service) - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

[PedroN 1]

Sugiro que imprima ou salve os procedimentos abaixo, e não use a internet até terminado o procedimento.

 

Selecione e copie o texto dentro do QUOTE (caixa cinza) abaixo. Abra o Bloco de notas e cole o que copiou. Salve então, na área de trabalho, com o nome de CFScript.txt.

 

File::

C:\WINDOWS\system32\d3d9caps.dat

D:\sysnt.exe

E:\sysnt.exe

lqixwc.exe

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ab54160-5609-11bd-a481-101111111111}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ab54161-5609-11bd-a481-101111111111}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c227f103-57e5-11dd-a47b-101111111111}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c227f104-57e5-11dd-a47b-101111111111}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ebbd7720-5607-11bd-a3f7-00d059126025}]

 

Esse script foi elaborado somente para este computador, de acordo com os arquivos e chaves presentes não use-o em outro computador, pos pode trazer danos.

 

Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo.

 

 

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

 

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando.

 

Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.

 

Poste-o junto com o novo log do hijackthis

[MR_MG 0]

ComboFix 08-09-28.05 - Administrador 2008-10-01 15:48:47.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.125 [GMT -3:00]

Executando de: C:\Documents and Settings\Administrador\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Administrador\Desktop\CFScript.txt

* Criado um novo ponto de restauro

* Resident AV is active

 

 

ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

 

FILE ::

C:\WINDOWS\system32\d3d9caps.dat

D:\sysnt.exe

E:\sysnt.exe

.

 

((((((((((((((((((((((( Ficheiros criados de 2008-09-01 to 2008-10-01 ))))))))))))))))))))))))))))))))

.

 

2080-01-04 00:16 . 2008-01-22 19:11 308,786 --a------ C:\Encerramento do Windows XP.wav

2080-01-04 00:11 . 2008-01-22 19:06 242,630 --a------ C:\Inicialização do Windows XP.wav

2008-09-30 14:43 . 2008-09-30 14:43 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Malwarebytes

2008-09-30 14:43 . 2008-09-30 14:43 <DIR> d-------- C:\Documents and Settings\Administrador\Dados de aplicativos\Malwarebytes

2008-09-30 14:43 . 2008-09-30 14:43 <DIR> d-------- C:\Arquivos de programas\Malwarebytes' Anti-Malware

2008-09-30 14:43 . 2008-09-08 00:11 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-09-30 14:43 . 2008-09-08 00:11 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-09-26 15:06 . 2008-09-26 15:06 268 --ah----- C:\sqmdata00.sqm

2008-09-26 15:06 . 2008-09-26 15:06 244 --ah----- C:\sqmnoopt00.sqm

2008-09-12 08:26 . 2001-08-17 21:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS

2008-09-12 08:26 . 2001-08-17 21:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys

2008-09-04 15:57 . 2004-12-15 10:53 <DIR> d-------- C:\cdvgtfr

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-23 17:40 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2008-09-18 12:33 --------- d-----w C:\Documents and Settings\Administrador\Dados de aplicativos\VMware

2008-09-15 18:50 0 ----a-w C:\WINDOWS\system32\drivers\674ab9b1.sys

2008-09-04 18:50 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information

2008-09-04 18:50 --------- d-----w C:\Arquivos de programas\Alcatel

2008-08-27 12:59 --------- d-----w C:\Arquivos de programas\Megacubo

2008-08-26 17:24 --------- d-----w C:\Arquivos de programas\MYMA Decoder and Viewer

2008-08-26 17:21 --------- d-----w C:\Arquivos de programas\Super Yahoo Messenger Archive Decoder

2008-08-20 18:37 --------- d-----w C:\Arquivos de programas\Spybot - Search & Destroy

2008-08-13 18:17 --------- d-----w C:\Documents and Settings\Administrador\Dados de aplicativos\Apple Computer

2008-08-13 18:16 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Apple Computer

2008-08-13 18:16 --------- d-----w C:\Arquivos de programas\iTunes

2008-08-13 18:16 --------- d-----w C:\Arquivos de programas\iPod

2008-08-13 18:16 --------- d-----w C:\Arquivos de programas\Bonjour

2008-08-13 18:15 --------- d-----w C:\Arquivos de programas\QuickTime

2008-08-13 18:13 --------- d-----w C:\Arquivos de programas\Apple Software Update

2008-08-13 18:12 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Apple

2008-08-13 18:12 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Apple

2008-08-13 12:00 --------- d-----w C:\Documents and Settings\Administrador\Dados de aplicativos\SlipStream

2008-08-08 20:54 --------- d-----w C:\Arquivos de programas\FileZillaPortable

2008-07-27 17:33 7,617 ----a-w C:\WINDOWS\system32\fstmpppz.exe

2008-07-02 00:55 6,144 ----a-w C:\WINDOWS\system32\nscd.exe

.

 

((((((((((((((((((((((((((((( snapshot@2008-09-30_ 9.17.35.85 )))))))))))))))))))))))))))))))))))))))))

.

+ 1980-01-04 03:00:58 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_2e0.dat

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias & legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

"msnmsgr"="C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2007-11-07 3739672]

"SpybotSD TeaTimer"="C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

"DWQueuedReporting"="C:\ARQUIV~1\ARQUIV~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sony Ericsson Wireless Manager UI"="C:\WINDOWS\system32\semwltray" [X]

"nod32kui"="C:\Arquivos de programas\Eset\nod32kui.exe" [2008-05-08 949376]

"TkBellExe"="C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" [1980-01-04 185896]

"GCXX-Manager-Class"="C:\Arquivos de programas\Sony Ericsson\Wireless Manager\GCXXManager.exe" [2007-09-05 925696]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"AppleSyncNotifier"="C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]

"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2008-05-27 413696]

"iTunesHelper"="C:\Arquivos de programas\iTunes\iTunesHelper.exe" [2008-07-30 289064]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

 

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\

Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jsopgl]

[bU]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.divxa32"= msaud32_divx.acm

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wiq17.sys]

@="Driver"

 

[HKLM\~\startupfolder\c:^documents and settings^all users^menu iniciar^programas^inicializar^bluesoleil.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\BlueSoleil.lnk

backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

 

[HKLM\~\startupfolder\c:^documents and settings^all users^menu iniciar^programas^inicializar^sjphone.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\SJphone.lnk

backup=C:\WINDOWS\pss\SJphone.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

--a------ 2007-11-07 15:34 3739672 C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nitropc]

--a------ 2007-11-15 14:03 1975824 C:\Arquivos de programas\NitroPC\NitroPC.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\PCXTools\\OMC\\R610_6.1d\\bin\\omc.exe"=

"C:\\Arquivos de programas\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

"C:\\R 8.0 System Documentation\\Apache\\Apache.exe"=

"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"C:\\WINDOWS\\system32\\ftp.exe"=

"C:\\Arquivos de programas\\Alcatel\\IpAttendantSoftPhone\\IpAttendantSoftPhone.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=

"C:\\Arquivos de programas\\iTunes\\iTunes.exe"=

"C:\\Arquivos de programas\\Megacubo\\megacubo.exe"=

"C:\\Arquivos de programas\\Megacubo\\megasrv.exe"=

 

R2 setrysvc;Sony Ericsson Wireless LAN Tray Service;C:\WINDOWS\System32\setrysvc.exe C:\WINDOWS\System32\semwltry.exe [ ]

R3 Maestro;ESS Maestro2E Audio Driver (WDM);C:\WINDOWS\system32\drivers\essm2e.sys [2004-08-03 137088]

S0 wiq17;wiq17;C:\WINDOWS\system32\Drivers\Wiq17.sys [ ]

S1 674ab9b1;674ab9b1;C:\WINDOWS\system32\drivers\674ab9b1.sys [2008-09-15 0]

S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 34064]

S3 PcCGoCls;PcCGoCls;C:\WINDOWS\system32\Drivers\PcCGoCls.sys [ ]

S3 SEM43XX;Controlador da Placa de Rede Broadcom 802.11;C:\WINDOWS\system32\DRIVERS\semwl5.sys [2007-09-05 604928]

S3 SEMWModem;Sony Ericsson SEMWModem;C:\WINDOWS\system32\DRIVERS\GCXX.sys [2007-05-14 108928]

S3 SEMWWNIC;Sony Ericsson SEMWWNIC;C:\WINDOWS\system32\DRIVERS\GCXXNet.sys [2007-05-10 53248]

S3 ServiceOMC;ServiceOMC;C:\WINDOWS\system32\ServiceOMC.exe [2007-09-18 73728]

S3 Sony_EricssonWWSC;Sony Ericsson SIM Card Reader;C:\WINDOWS\system32\DRIVERS\GCXXSC.sys [2007-05-10 19328]

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-01 15:51:40

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- DLLs Carregadas Sob os Processos em Execuçao ---------------------

 

PROCESSOS: C:\WINDOWS\system32\lsass.exe

-> C:\Arquivos de programas\Eset\pr_imon.dll

.

Tempo para conclusão: 2008-10-01 15:53:08

ComboFix-quarantined-files.txt 2008-10-01 18:53:02

ComboFix2.txt 2008-10-01 18:40:37

ComboFix3.txt 2008-09-30 12:18:31

 

Pre-Run: 14 pasta(s) 28.116.332.544 bytes disponíveis

Post-Run: 15 pasta(s) 28,106,854,400 bytes disponíveis

 

142 --- E O F --- 2008-07-25 23:56:55

 

 

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 15:56:02, on 1/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\setrysvc.exe

C:\WINDOWS\System32\semwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\atievxx.exe

C:\Arquivos de programas\IVT Corporation\BlueSoleil\BTNtService.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\Arquivos de programas\Eset\nod32krn.exe

C:\Arquivos de programas\VMware\VMware Workstation\vmware-authd.exe

C:\WINDOWS\system32\vmnat.exe

C:\WINDOWS\system32\vmnetdhcp.exe

C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\semwltray.exe

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\Arquivos de programas\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\iPod\bin\iPodService.exe

C:\Arquivos de programas\Windows Live\Messenger\usnsvc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\notepad.exe

C:\Arquivos de programas\WinRAR\WinRAR.exe

C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\Rar$EX00.638\HijackThis.exe

 

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\Arquivos de programas\Real\RealOne Player\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {9aa2f14f-e956-44b8-8694-a5b615cdf341} - (no file)

O4 - HKLM\..\Run: [nod32kui] "C:\Arquivos de programas\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [GCXX-Manager-Class] "C:\Arquivos de programas\Sony Ericsson\Wireless Manager\GCXXManager.exe" -startup

O4 - HKLM\..\Run: [sony Ericsson Wireless Manager UI] C:\WINDOWS\system32\semwltray

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [DWQueuedReporting] "C:\ARQUIV~1\ARQUIV~1\MICROS~1\DW\dwtrig20.exe" -t

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\arquivos de programas\bonjour\mdnsnsp.dll

O11 - Options group: [java_sun] Java (Sun)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O20 - Winlogon Notify: jsopgl - C:\WINDOWS\

O23 - Service: Dispositivo Celular da Apple (apple mobile device) - Apple Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Arquivos de programas\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Bonjour Service (bonjour service) - Apple Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service (ipod service) - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Arquivos de programas\Eset\nod32krn.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

O23 - Service: ServiceOMC - Alcatel - C:\WINDOWS\system32\ServiceOMC.exe

O23 - Service: Sony Ericsson Wireless LAN Tray Service (setrysvc) - Unknown owner - C:\WINDOWS\System32\setrysvc.exe

O23 - Service: VMware Authorization Service (vmauthdservice) - VMware, Inc. - C:\Arquivos de programas\VMware\VMware Workstation\vmware-authd.exe

O23 - Service: VMware DHCP Service (vmnetdhcp) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe

O23 - Service: VMware NAT Service (vmware nat service) - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

[PedroN 1]

Atualize o Java.

Versões antigas têm vunerabilidades que alguns malwares podem usar para infectar seu sistema.

• [•]Faça download da última versão do

Java Runtime Environment (JRE) 6u7.
[•]Procure onde está escrito "Java Runtime Environment (JRE) 6update7".
[•]Clique no botão Download.
[•]Marque a opção que diz Accept License Agreement.
[•]A página será atualizada.
[•]Clique no link para download Windows Offline Installation e salve no seu desktop. (O arquivo tem em torno de 70 Mb)
[•]Feche qualquer programa que esteja executando, especialmente navegadores.
[•]Vá em Iniciar > Painel de Controle duplo clique em Adicionar ou Remover Programas e remova todas as versões antigas do Java.
Exemplos de versões antigas
Java 2 Runtime Environment, SE v1.4.2
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 6
[•]Selecione qualquer item com nome Java Runtime Environment (JRE ou J2SE).
[•]Clique no botão Remover ou Alterar/Remover.
[•]Repita quantas vezes for necessária para remover cada versão do Java.
[•]Reincie seu computador uma vez que todas as versões do Java tenham sido removidas.
[•]Agora vá no seu desktop, clique duas vezes em jre-6u7-windows-i586-p.exe para instalar a mais nova versão.

 

 

Ok, o log estar limpo :)

 

- Digite no Executar combofix /u e clique em Ok e aguarde a remoção do combofix.

 

Visite o Windows Update e atualize o seu sistema, baixando o Service Pack 3

 

Ou, se preferir, baixe e instale o pacote completo (+- 300 Mb):

http://www.microsoft.com/downloads/details...splayLang=pt-br

 

- Recomendo uma manutenção no computador para exclusão dos arquivos temporários, desnecessários e entradas inválidas no registro. Faça o download do CCleaner

 

• Abra o programa e clique em Executar Limpeza;

• Após isto, clique em Registro > Procurar erros > Corrigir Erros

 

- Desative e ative novamente a Restauração do Sistema

 

Leia o artigo Cuidados ao navegar na net para maiores informações sobre como evitar infecções.

[Mário Monteiro 179]

Tópico Arquivado

 

Como o autor não respondeu por mais de 30 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.