[Resolvido!] Vírus!

[andressanf 0]

Olá pessoal, sou nova aqui e completamente leiga no assunto...

meu computador foi infectado com um vírus do msn através do arquivo:

 

C:\windows\photo_13301.zip

C:\windows\system32\microsoft\backup.tftp

 

O scan indicou como vírus o C:\WINDOWS\system32\Tools\Restart.exe, o qual eu deletei.

Pesquisando na net descobri que nao adianta deletar esse arquivo pois ele é carregado na memoria.

Assim, toda vez que entro no msn ele continua mandando virus pra todos os contatos.

 

A partir daí não sei mais como proceder...

Aqui está meu log:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:21:56, on 2/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\ARQUIV~1\AVG\AVG8\avgrsx.exe

C:\ARQUIV~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

C:\ARQUIV~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\pchealth\helpctr\binaries\svchost.exe

C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe

C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe

C:\Arquivos de programas\AutoCAD 2008\acad.exe

C:\DOCUME~1\Andressa\CONFIG~1\Temp\AdskCleanup.0001

C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=proxy.intranet.ct.utfpr.edu.br:3128;http=proxy.intranet.ct.utfpr.edu.br:3128

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.utfpr.edu.br;<local>

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG8\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [NBKeyScan] "C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [svchost.exe] C:\WINDOWS\pchealth\helpctr\binaries\svchost.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARQUIV~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [TrayHabil] C:\Arquivos de programas\Koinonia Software\Habil for Windows\TrayHabil.exe

O4 - HKCU\..\Run: [AdobeUpdater] C:\Arquivos de programas\Arquivos comuns\Adobe\Updater5\AdobeUpdater.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

 

--

End of file - 6636 bytes

 

 

agradeço desde já qualquer ajuda!

[Silas Martins 0]

SDFix:

Baixe o SDFix e e arquive na sua área de trabalho.

 

*Execute o SDFix.exe[/b] clicando duas vezes sobre ele.

* Permitam-lo para instalar na localização padrão, que é normalmente c: \ SDFix

* Agora, por favor, reinicie o computador em modo de segurança (Reinicie o computador e segure a tecla F8 sem solta-la até que seja disponibilizada a tela onde você opte por modo de segurança)

* Depois de ter arrancado em modo seguro, abra o C: \ SDFix pasta e dê um duplo clique em RunThis.bat para iniciar o script.

* Aperte Y para iniciar a limpeza do processo.

* Ele irá remover qualquer Tróia ou Serviços Secretaria entradas encontradas e, em seguida, pedir-lhe para pressione qualquer tecla para reiniciar.

* Pressione qualquer tecla e ele irá reiniciar o PC.

* Quando o PC reinicia a Fixtool irá correr de novo e completar o processo de remoção exibição terminados em seguida, pressione qualquer tecla para terminar o script e carregar seu desktop ícones.

* Depois de a carregar os ícones desktop SDFix relatório será aberta a tela e também em salvar a pasta SDFix como Report.txt.

*Poste o Report.txt juntamente com novo log do hijackthis gerado em modo normal.

[andressanf 0]

Aqui está o report:

 

 

SDFix: Version 1.230

Run by Administrador on --- 03/10/2008 at 13:30

 

Microsoft Windows XP [versÆo 5.1.2600]

Running From: C:\SDFix

 

Checking Services :

 

 

C:\WINDOWS\system32\Microsoft\backup.ftp Found

C:\WINDOWS\system32\Microsoft\backup.tftp Found

 

Checking files:

 

Genuine:

C:\WINDOWS\system32\Microsoft\backup.ftp

C:\WINDOWS\system32\Microsoft\backup.tftp

 

 

Restoring Default Security Values

Restoring Default Hosts File

 

Rebooting

 

 

Checking Files :

 

Trojan Files Found:

 

C:\WINDOWS\Photo_13301.zip - Deleted

C:\WINDOWS\system32\Microsoft\backup.ftp - Deleted

C:\WINDOWS\system32\Microsoft\backup.tftp - Deleted

 

 

 

 

 

Removing Temp Files

 

ADS Check :

 

 

 

Final Check :

 

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-03 13:35:56

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden services & system hive ...

 

scanning hidden registry entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

Remaining Services :

 

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"="C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"="C:\\Arquivos de programas\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

"C:\\Arquivos de programas\\uTorrent\\uTorrent.exe"="C:\\Arquivos de programas\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"="C:\\Arquivos de programas\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

"C:\\Arquivos de programas\\AVG\\AVG8\\avgemc.exe"="C:\\Arquivos de programas\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"

"C:\\Arquivos de programas\\AVG\\AVG8\\avgupd.exe"="C:\\Arquivos de programas\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"

"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"="C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"="C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"="C:\\Arquivos de programas\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

 

Remaining Files :

 

 

File Backups: - C:\SDFix\backups\backups.zip

 

Files with Hidden Attributes :

 

Fri 3 Oct 2008 2,516 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"

Tue 30 Sep 2008 59,904 ..SHR --- "C:\WINDOWS\pchealth\helpctr\binaries\svchost.exe"

Fri 13 Jun 2008 18,736,128 A..H. --- "C:\Documents and Settings\Andressa\Meus documentos\Projetos\REUNI\Memoriais\~WRL2493.tmp"

 

Finished!

e aqui esá o novo log:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:44:16, on 3/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\ARQUIV~1\AVG\AVG8\avgrsx.exe

C:\ARQUIV~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

C:\ARQUIV~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe

C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe

C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\ARQUIV~1\AVG\AVG8\avgupd.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =

 

ftp=proxy.intranet.ct.utfpr.edu.br:3128;http=proxy.intranet.ct.utfpr.edu.br:3128

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

 

*.utfpr.edu.br;<local>

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos

 

de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -

 

C:\Arquivos de programas\AVG\AVG8\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de

 

programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} -

 

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos

 

comuns\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [NBKeyScan] "C:\Arquivos de programas\Nero\Nero8\Nero

 

BackItUp\NBKeyScan.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de

 

programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos

 

comuns\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARQUIV~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader

 

8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Arquivos de programas\Arquivos

 

comuns\InstallShield\UpdateService\ISUSPM.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Arquivos de programas\Arquivos

 

comuns\InstallShield\UpdateService\issch.exe" -start

O4 - HKCU\..\Run: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de

 

programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe"

 

ASO-616B5711-6DAE-4795-A05F-39A1E5104020

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash

 

/minimized

O4 - HKCU\..\Run: [TrayHabil] C:\Arquivos de programas\Koinonia Software\Habil for

 

Windows\TrayHabil.exe

O4 - HKCU\..\Run: [AdobeUpdater] C:\Arquivos de programas\Arquivos

 

comuns\Adobe\Updater5\AdobeUpdater.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL

 

SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK

 

SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft

 

Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel -

 

res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de

 

programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

 

C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de

 

programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de

 

programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

 

C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de

 

programas\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

 

C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos

 

comuns\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. -

 

C:\ARQUIV~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. -

 

C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Arquivos de

 

programas\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos

 

comuns\Nero\Lib\NMIndexingService.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. -

 

C:\WINDOWS\system32\IoctlSvc.exe

 

--

End of file - 6663 bytes

[Silas Martins 0]

Baixe o Malwarebytes Anti-Malware

 

 

* Inicie a instalação clique em "mbam-setup.exe";

* Marque "Atualizar Malwarebytes Anti-Malware" e "Executar Malwarebytes Anti-Malware", e clique em concluir.

* Marque "Verificação Rápida" e depois clique em Verificar.

* Quando o scan terminar, clique em Ok e em "Mostrar Resultados" para ver o log;

* Se algo for detectado, veja se tudo está marcado e clique em "Remover";

* O log é automaticamente gravado e pode ser consultado clicando em "Logs" do menu principal;

* Copie e cole esse log, juntamente com o novo log do hijacktihis .

Aguado o retorno.

[andressanf 0]

aqui está o log do malwarebytes

 

Malwarebytes' Anti-Malware 1.28

Versão do banco de dados: 1225

Windows 5.1.2600 Service Pack 2

 

3/10/2008 15:52:30

mbam-log-2008-10-03 (15-52-30).txt

 

Tipo de Verificação: Rápida

Objetos verificados: 50546

Tempo decorrido: 6 minute(s), 12 second(s)

 

Processos da Memória infectados: 0

Módulos de Memória Infectados: 0

Chaves do Registro infectadas: 0

Valores do Registro infectados: 0

Ítens do Registro infectados: 0

Pastas infectadas: 0

Arquivos infectados: 0

 

Processos da Memória infectados:

(Nenhum ítem malicioso foi detectado)

 

Módulos de Memória Infectados:

(Nenhum ítem malicioso foi detectado)

 

Chaves do Registro infectadas:

(Nenhum ítem malicioso foi detectado)

 

Valores do Registro infectados:

(Nenhum ítem malicioso foi detectado)

 

Ítens do Registro infectados:

(Nenhum ítem malicioso foi detectado)

 

Pastas infectadas:

(Nenhum ítem malicioso foi detectado)

 

Arquivos infectados:

(Nenhum ítem malicioso foi detectado)

 

e o novo log do hijacktihis

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:54:47, on 3/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\ARQUIV~1\AVG\AVG8\avgrsx.exe

C:\ARQUIV~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

C:\ARQUIV~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe

C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe

C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\Arquivos de programas\AutoCAD 2008\acad.exe

C:\DOCUME~1\Andressa\CONFIG~1\Temp\AdskCleanup.0001

C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

C:\Arquivos de programas\Windows Media Player\wmplayer.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =

 

ftp=proxy.intranet.ct.utfpr.edu.br:3128;http=proxy.intranet.ct.utfpr.edu.br:3128

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

 

*.utfpr.edu.br;<local>

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos

 

de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -

 

C:\Arquivos de programas\AVG\AVG8\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de

 

programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} -

 

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos

 

comuns\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [NBKeyScan] "C:\Arquivos de programas\Nero\Nero8\Nero

 

BackItUp\NBKeyScan.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de

 

programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos

 

comuns\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARQUIV~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader

 

8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Arquivos de programas\Arquivos

 

comuns\InstallShield\UpdateService\ISUSPM.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Arquivos de programas\Arquivos

 

comuns\InstallShield\UpdateService\issch.exe" -start

O4 - HKCU\..\Run: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de

 

programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe"

 

ASO-616B5711-6DAE-4795-A05F-39A1E5104020

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash

 

/minimized

O4 - HKCU\..\Run: [TrayHabil] C:\Arquivos de programas\Koinonia Software\Habil for

 

Windows\TrayHabil.exe

O4 - HKCU\..\Run: [AdobeUpdater] C:\Arquivos de programas\Arquivos

 

comuns\Adobe\Updater5\AdobeUpdater.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL

 

SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK

 

SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft

 

Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel -

 

res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de

 

programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

 

C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de

 

programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de

 

programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

 

C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de

 

programas\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

 

C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos

 

comuns\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. -

 

C:\ARQUIV~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. -

 

C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Arquivos de

 

programas\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos

 

comuns\Nero\Lib\NMIndexingService.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. -

 

C:\WINDOWS\system32\IoctlSvc.exe

 

--

End of file - 6807 bytes

[Silas Martins 0]

Baixe o ComboFix em:

ComboFix

 

1) Desabilite o seu anti-vírus temporariamente;

2) Dê um duplo-clique no combofix.exe e tecle "1" para prosseguir. O processo vai durar, em média, 10 minutos;

3) O ComboFix reiniciará o PC automaticamente, a fim de que o processo de remoção seja finalizado (somente se houver infecção);

4) Quando a varredura acabar, será gerado um log, que estará em C:\ComboFix.txt;

5) Não clique na janela do ComboFix, nem feche clicando no X, enquanto a ferramenta estiver sendo executada, pois isto implicará na desconfiguração de seu desktop (ele ficará todo branco);

6) Para parar ou sair do ComboFix, tecle "N";

7) Reabilite o seu anti-vírus;

8) Preciso que você cole o conteúdo do ComboFix.txtjuntamente com o novo log do hijackthis em sua próxima resposta.

 

OBS.: Caso apareça uma mensagem avisando que ESTE NÃO É UM APLICATIVO WIN 32 VÁLIDO baixe o ComboFix novamente, mas salve-o em seu Desktop como KomboFix. Em último caso, tente utilizar o ComboFix em MODO SEGURO.

 

 

Atenção:

Não clique em nada enquanto o Combofix estiver rodando, Do contrário seu desktop ficará em branco.

 

Para parar o processo ou sair do ComboFix, tecle "2" e Enter.

 

Aguardo o retorno

[andressanf 0]

Log do ComboFix

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"51701:TCP"= 51701:TCP:51701

"51701:UDP"= 51701:UDP:51701

 

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544]

S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2007-05-02 83592]

S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2007-05-02 15112]

S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2007-05-02 109704]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{02d8f117-7827-11dd-8536-0019218d5d2e}]

\Shell\auto\command - Knight.exe open

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open

\Shell\explore\command - Knight.exe open

\Shell\find\command - Knight.exe open

\Shell\install\command - Knight.exe open

\Shell\open\command - Knight.exe open

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1430437b-309e-11dd-84df-0019218d5d2e}]

\Shell\AutoRun\command - ff1q0gw.bat

\Shell\explore\Command - ff1q0gw.bat

\Shell\open\Command - ff1q0gw.bat

 

*Newly Created Service* - PROCEXP90

.

- - - - ORFAOS REMOVIDOS - - - -

 

HKCU-Run-TrayHabil - C:\Arquivos de programas\Koinonia Software\Habil for Windows\TrayHabil.exe

 

 

.

------- Ccan Suplementar -------

.

FireFox -: Profile - C:\Documents and Settings\Andressa\Dados de aplicativos\Mozilla\Firefox\Profiles\lklogdpy.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - chrome://fastdial/content/fastdial.html

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-06 10:11:24

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

Tempo para conclusão: 2008-10-06 10:12:23

ComboFix-quarantined-files.txt 2008-10-06 13:12:09

 

Pre-Run: 6 pasta(s) 130.637.918.208 bytes disponíveis

Post-Run: 8 pasta(s) 132,129,042,432 bytes disponíveis

 

128 --- E O F --- 2008-05-21 20:56:45

 

novo log do Hijackthis

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:15:36, on 6/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe

C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe

C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=proxy.intranet.ct.utfpr.edu.br:3128;http=proxy.intranet.ct.utfpr.edu.br:3128

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.utfpr.edu.br;<local>

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [NBKeyScan] "C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

O4 - HKCU\..\Run: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [AdobeUpdater] C:\Arquivos de programas\Arquivos comuns\Adobe\Updater5\AdobeUpdater.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

 

--

End of file - 5972 bytes

[Silas Martins 0]

Log do Combofix ta incopleto.

[andressanf 0]

ComboFix 08-10-05.06 - Andressa 2008-10-06 10:10:12.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.609 [GMT -3:00]

Executando de: C:\Documents and Settings\Andressa\Desktop\ComboFix.exe

* Criado um novo ponto de restauro

 

ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

 

((((((((((((((((((((((( Ficheiros criados de 2008-09-06 to 2008-10-06 ))))))))))))))))))))))))))))))))

.

 

2008-10-06 09:27 . 2008-10-06 09:27 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Avg8

2008-10-03 15:44 . 2008-10-03 15:44 <DIR> d-------- C:\Documents and Settings\Andressa\Dados de aplicativos\Malwarebytes

2008-10-03 15:44 . 2008-10-03 15:44 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Malwarebytes

2008-10-03 15:44 . 2008-10-03 15:45 <DIR> d-------- C:\Arquivos de programas\Malwarebytes' Anti-Malware

2008-10-03 15:44 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-10-03 15:44 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-10-03 13:28 . 2008-10-03 13:28 <DIR> d-------- C:\WINDOWS\ERUNT

2008-10-03 13:20 . 2008-10-03 13:37 <DIR> d-------- C:\SDFix

2008-10-03 10:06 . 2008-10-03 10:06 28,946 --a------ C:\WINDOWS\FontData.fdb

2008-10-03 10:02 . 2008-10-03 10:03 2,516 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys

2008-10-03 10:01 . 2008-10-03 10:01 <DIR> d-------- C:\Documents and Settings\Andressa\Dados de aplicativos\Corel

2008-10-03 10:01 . 2008-10-03 10:01 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\InstallShield

2008-10-03 09:58 . 2008-10-03 09:58 <DIR> d-------- C:\Arquivos de programas\Corel

2008-10-03 09:58 . 2008-10-03 09:58 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Corel

2008-10-02 16:21 . 2008-10-02 16:21 <DIR> d-------- C:\Arquivos de programas\Trend Micro

2008-10-02 15:51 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys

2008-10-02 11:14 . 2008-03-18 16:01 <DIR> d--h----- C:\Documents and Settings\Administrador\Modelos

2008-10-02 11:14 . 2008-03-18 12:49 <DIR> d-------- C:\Documents and Settings\Administrador\Meus documentos

2008-10-02 11:14 . 2008-03-18 12:49 <DIR> dr------- C:\Documents and Settings\Administrador\Menu Iniciar

2008-10-02 11:14 . 2008-03-18 12:49 <DIR> d-------- C:\Documents and Settings\Administrador\Favoritos

2008-10-02 11:14 . 2008-03-18 12:49 <DIR> dr-h----- C:\Documents and Settings\Administrador\Dados de aplicativos

2008-10-02 11:14 . 2008-10-06 10:11 <DIR> d--h----- C:\Documents and Settings\Administrador\Configurações locais

2008-10-02 11:14 . 2008-03-18 12:49 <DIR> d--h----- C:\Documents and Settings\Administrador\Ambiente de rede

2008-10-02 11:14 . 2008-03-18 12:49 <DIR> d--h----- C:\Documents and Settings\Administrador\Ambiente de impressão

2008-10-02 11:14 . 2008-10-02 11:14 <DIR> d-------- C:\Documents and Settings\Administrador

2008-10-01 17:33 . 2008-10-02 15:50 <DIR> d-------- C:\Arquivos de programas\Panda Security

2008-10-01 17:27 . 2008-10-01 18:45 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Panda Software

2008-10-01 17:16 . 2008-10-01 17:16 <DIR> d-------- C:\Arquivos de programas\MSN Messenger

2008-09-23 09:07 . 2008-09-23 09:27 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-06 13:03 --------- d-----w C:\Documents and Settings\Andressa\Dados de aplicativos\Skype

2008-10-06 12:12 --------- d-----w C:\Documents and Settings\Andressa\Dados de aplicativos\skypePM

2008-10-03 14:12 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\pdf995

2008-10-03 13:01 --------- d-----w C:\Arquivos de programas\Arquivos comuns\InstallShield

2008-10-02 16:53 --------- d---a-w C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

2008-10-01 19:49 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\WLInstaller

2008-10-01 14:11 --------- d-----w C:\Arquivos de programas\Windows Live

2008-09-30 22:56 59,904 --sh--r C:\WINDOWS\pchealth\helpctr\binaries\svchost.exe

2008-09-01 19:26 --------- d-----w C:\Arquivos de programas\Real

2008-09-01 19:26 --------- d-----w C:\Arquivos de programas\Arquivos comuns\xing shared

2008-09-01 19:26 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Real

2008-08-27 19:36 51,088 ----a-w C:\Documents and Settings\Andressa\Dados de aplicativos\GDIPFONTCACHEV1.DAT

2008-08-18 14:50 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Adobe

2008-04-01 13:04 32 ----a-w C:\Documents and Settings\All Users\Dados de aplicativos\ezsid.dat

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]

"Skype"="C:\Arquivos de programas\Skype\Phone\Skype.exe" [2008-02-01 21898024]

"AdobeUpdater"="C:\Arquivos de programas\Arquivos comuns\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]

"msnmsgr"="C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

"MSMSGS"="C:\Arquivos de programas\Messenger\msmsgs.exe" [2004-10-13 1694208]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]

"NBKeyScan"="C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"TkBellExe"="C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" [2008-09-01 185896]

"Adobe Reader Speed Launcher"="C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"ISUSPM Startup"="C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]

"ISUSScheduler"="C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]

"SoundMan"="SOUNDMAN.EXE" [2005-06-20 C:\WINDOWS\SOUNDMAN.EXE]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2007-10-29 15360]

 

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\

Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"51701:TCP"= 51701:TCP:51701

"51701:UDP"= 51701:UDP:51701

 

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544]

S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2007-05-02 83592]

S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2007-05-02 15112]

S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2007-05-02 109704]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{02d8f117-7827-11dd-8536-0019218d5d2e}]

\Shell\auto\command - Knight.exe open

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open

\Shell\explore\command - Knight.exe open

\Shell\find\command - Knight.exe open

\Shell\install\command - Knight.exe open

\Shell\open\command - Knight.exe open

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1430437b-309e-11dd-84df-0019218d5d2e}]

\Shell\AutoRun\command - ff1q0gw.bat

\Shell\explore\Command - ff1q0gw.bat

\Shell\open\Command - ff1q0gw.bat

 

*Newly Created Service* - PROCEXP90

.

- - - - ORFAOS REMOVIDOS - - - -

 

HKCU-Run-TrayHabil - C:\Arquivos de programas\Koinonia Software\Habil for Windows\TrayHabil.exe

 

 

.

------- Ccan Suplementar -------

.

FireFox -: Profile - C:\Documents and Settings\Andressa\Dados de aplicativos\Mozilla\Firefox\Profiles\lklogdpy.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - chrome://fastdial/content/fastdial.html

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-06 10:11:24

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

Tempo para conclusão: 2008-10-06 10:12:23

ComboFix-quarantined-files.txt 2008-10-06 13:12:09

 

Pre-Run: 6 pasta(s) 130.637.918.208 bytes disponíveis

Post-Run: 8 pasta(s) 132,129,042,432 bytes disponíveis

 

128 --- E O F --- 2008-05-21 20:56:45

 

 

Será que agora está certo??

[Silas Martins 0]

Log limpo

Oproblema persiste?

[andressanf 0]

Problema resolvido!

 

Muito Obrigada!

[Silas Martins 0]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.