[Resolvido!] [Analise de Log] problemas com IEXPLORE.EXE

conju · Outubro 14, 2008

Bom estou com problemas no iexplore.exe, ele abre 2 processos no gerenciador de tarefas, gostaria de como remove-lo, segue o log abaixo:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:17:09, on 13/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Arquivos de programas\Teamspeak2_RC2\TeamSpeak.exe

C:\Arquivos de programas\MSN Messenger\usnsvc.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

D:\internet\dowloads\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Arquivos de programas\HP\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Arquivos de programas\HP\Smart Web Printing\hpswp_framework.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: VIPTToolbarManager Class - {1A2641AE-2C42-4C51-A05F-8ECEC3FDC94D} - C:\Arquivos de programas\Visual IP Trace 2008\VisualIPTraceIE.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Visual IP Trace - {E70C26AE-DFF1-40A8-8D37-19180F56F0AA} - C:\Arquivos de programas\Visual IP Trace 2008\VisualIPTraceIE.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [RemoteControl8] "C:\Arquivos de programas\CyberLink\PowerDVD8\PDVD8Serv.exe"

O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD8\Language\Language.exe"

O4 - HKLM\..\Run: [bDRegion] C:\Arquivos de programas\Cyberlink\Shared Files\brs.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [invisibleIPMap] "C:\Arquivos de programas\Invisible IP Map\InvisibleIP.exe" /startup

O4 - HKLM\..\Run: [file wave user bat] C:\Documents and Settings\All Users\Dados de aplicativos\Mail For File Wave\Junk Dent.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [steam] "c:\arquivos de programas\steam\steam.exe" -silent

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Flaw great] C:\DOCUME~1\Conjuu\DADOSD~1\ADMINB~1\Owns extra 01.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Livro de recortes HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Arquivos de programas\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: Seleção HP Smart - {700259D7-1666-479a-93B1-3250410481E8} - C:\Arquivos de programas\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: Magic Nettrace - {92848C13-5482-49CB-B31C-CA8D74EFF508} - C:\Arquivos de programas\Magic NetTrace\MTIE.exe

O9 - Extra 'Tools' menuitem: &Magic Nettrace - {92848C13-5482-49CB-B31C-CA8D74EFF508} - C:\Arquivos de programas\Magic NetTrace\MTIE.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{67143F14-CA95-478E-8071-1133DE9C745D}: NameServer = 200.204.0.10 200.204.0.138

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

jgarcia · Outubro 14, 2008

Opa conju,

Baixe o ComboFix em:

ComboFix

1) Desabilite o seu anti-vírus temporariamente;

2) Dê um duplo-clique no combofix.exe e tecle "1" para prosseguir. O processo vai durar, em média, 10 minutos;

3) O ComboFix reiniciará o PC automaticamente, a fim de que o processo de remoção seja finalizado (somente se houver infecção);

4) Quando a varredura acabar, será gerado um log, que estará em C:\ComboFix.txt;

5) Não clique na janela do ComboFix, nem feche clicando no X, enquanto a ferramenta estiver sendo executada, pois isto implicará na desconfiguração de seu desktop (ele ficará todo branco);

6) Para parar ou sair do ComboFix, tecle "N";

7) Reabilite o seu anti-vírus;

8) Preciso que você cole o conteúdo do ComboFix.txt em sua próxima resposta.

OBS.: Caso apareça uma mensagem avisando que ESTE NÃO É UM APLICATIVO WIN 32 VÁLIDO baixe o ComboFix novamente, mas salve-o em seu Desktop como KomboFix. Em último caso, tente utilizar o ComboFix em MODO SEGURO.

Abraços.

conju · Outubro 14, 2008

Fiz conforme foi informado, segue o novo log abaixo:

ComboFix 08-10-12.01 - Conjuu 2008-10-13 21:50:21.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.675 [GMT -2:00]

Executando de: D:\internet\dowloads\ComboFix.exe

* Criado um novo ponto de restauro

ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\AutoRun.inf

.

(((((((((((((((( Arquivos/Ficheiros criados de 2008-09-13 to 2008-10-13 ))))))))))))))))))))))))))))

.

2008-10-13 22:08 . 2008-10-13 22:08 <DIR> d-------- C:\WINDOWS\LastGood

2008-10-13 22:08 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys

2008-10-13 22:07 . 2008-10-13 22:07 <DIR> d-------- C:\Arquivos de programas\Panda Security

2008-10-13 17:56 . 2008-10-13 17:56 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Messenger Plus!

2008-10-13 17:46 . 2008-10-13 17:46 <DIR> d-------- C:\Arquivos de programas\Windows Live

2008-10-13 17:45 . 2008-10-13 17:45 <DIR> d-------- C:\Documents and Settings\Conjuu\Contacts

2008-10-13 17:44 . 2008-10-13 17:46 <DIR> d-------- C:\Arquivos de programas\MSN Messenger

2008-10-13 16:42 . 2008-10-13 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Mail For File Wave

2008-10-13 16:41 . 2008-10-13 16:42 <DIR> d-------- C:\Documents and Settings\Conjuu\Dados de aplicativos\Admin Barb

2008-10-13 16:41 . 2008-10-13 16:41 <DIR> d-------- C:\Arquivos de programas\Circle Developement

2008-10-13 16:41 . 2008-10-13 16:41 <DIR> d-------- C:\Arquivos de programas\Admin Barb

2008-10-12 17:45 . 2008-10-13 17:28 <DIR> d-------- C:\Arquivos de programas\Windows Live Safety Center

2008-10-12 17:38 . 2008-10-12 17:39 <DIR> d-------- C:\Arquivos de programas\Magic NetTrace

2008-10-11 15:15 . 2008-10-11 15:15 236 --a------ C:\sqmdata01.sqm

2008-10-11 15:15 . 2008-10-11 15:15 200 --a------ C:\sqmnoopt01.sqm

2008-10-11 15:14 . 2006-11-29 14:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll

2008-10-11 15:12 . 2008-10-11 15:12 <DIR> d-------- C:\Arquivos de programas\Microsoft

2008-10-11 15:03 . 2008-10-11 15:03 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Windows Live

2008-10-11 04:35 . 2008-07-18 23:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll

2008-10-11 04:35 . 2008-07-18 23:07 210,976 --a------ C:\WINDOWS\system32\muweb.dll

2008-10-11 04:35 . 2008-07-18 23:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui

2008-10-11 02:52 . 2008-10-11 02:52 <DIR> d--hsc--- C:\Arquivos de programas\Arquivos comuns\WindowsLiveInstaller

2008-10-11 02:51 . 2008-10-11 03:06 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\WLInstaller

2008-10-10 18:58 . 2008-10-11 05:05 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak

2008-10-08 21:45 . 2008-10-12 18:24 <DIR> d-------- C:\Arquivos de programas\sXe Injected

2008-10-07 02:18 . 2008-10-07 02:18 <DIR> d-------- C:\Documents and Settings\Conjuu\vw

2008-10-07 02:18 . 2008-10-07 02:18 <DIR> d-------- C:\Documents and Settings\Conjuu\Visual IP Trace

2008-10-07 02:18 . 2008-10-07 02:18 <DIR> d-------- C:\Arquivos de programas\Visual IP Trace 2008

2008-10-07 01:49 . 2008-10-07 01:49 <DIR> d-------- C:\Arquivos de programas\Invisible IP Map

2008-10-07 01:07 . 2008-10-07 01:07 <DIR> d-------- C:\Arquivos de programas\SocksCapV2

2008-10-07 01:07 . 1998-02-06 23:37 299,520 --a------ C:\WINDOWS\uninst.exe

2008-10-07 01:06 . 2008-10-07 01:06 <DIR> d-------- C:\Documents and Settings\Conjuu\WINDOWS

2008-10-06 18:20 . 2008-10-06 18:23 <DIR> d-------- C:\WINDOWS\vf_hip

2008-10-06 18:20 . 2008-10-06 18:21 <DIR> d-------- C:\Arquivos de programas\Hide IP Platinum

2008-10-06 18:20 . 2008-10-06 18:20 32 --a------ C:\WINDOWS\go

2008-10-06 17:54 . 2008-10-06 17:54 <DIR> d-------- C:\Arquivos de programas\AnalogX

2008-10-01 15:24 . 2008-10-01 15:24 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\pixelStorm

2008-09-30 13:01 . 2008-10-13 17:46 <DIR> d-------- C:\Arquivos de programas\Messenger Plus! Live

2008-09-24 01:27 . 2008-09-24 01:27 <DIR> d-------- C:\WINDOWS\Sun

2008-09-20 01:44 . 2008-09-20 01:44 <DIR> d-------- C:\Arquivos de programas\Anti CSDoS by Shocker

2008-09-20 01:44 . 2006-01-31 17:27 126,464 --a------ C:\WINDOWS\system32\madCHook.dll

2008-09-18 15:24 . 2008-09-18 15:24 <DIR> d-------- C:\WINDOWS\ShellNew

2008-09-18 15:24 . 2008-09-18 15:24 415 --a------ C:\WINDOWS\ODBC.INI

2008-09-18 15:23 . 2008-09-18 15:23 <DIR> d-------- C:\Documents and Settings\Conjuu\Dados de aplicativos\Microsoft Web Folders

2008-09-18 14:42 . 2008-09-18 14:42 <DIR> d-------- C:\WINDOWS\system32\LogFiles

2008-09-18 13:38 . 2008-09-18 13:38 <DIR> d-------- C:\Arquivos de programas\KGB Archiver

2008-09-17 01:43 . 2008-10-13 15:40 <DIR> d-------- C:\Documents and Settings\Conjuu\Dados de aplicativos\LimeWire

2008-09-17 01:43 . 2008-09-17 01:43 <DIR> d-------- C:\Arquivos de programas\Java

2008-09-17 01:43 . 2008-06-10 03:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-09-17 01:41 . 2008-09-17 01:41 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Java

2008-09-17 01:38 . 2008-09-17 01:39 <DIR> d-------- C:\Arquivos de programas\LimeWire

2008-09-16 14:18 . 2008-09-16 14:18 <DIR> d-------- C:\Arquivos de programas\DsNET Corp

2008-09-16 14:18 . 2004-03-09 01:00 124,688 --a------ C:\WINDOWS\system32\MSWINSCK.OCX

2008-09-15 18:50 . 2008-09-15 18:50 <DIR> d-------- C:\Documents and Settings\Conjuu\Dados de aplicativos\CyberLink

2008-09-15 18:49 . 2008-09-15 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\CyberLink

2008-09-15 18:49 . 2008-09-15 18:49 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\CyberLink

2008-09-15 18:49 . 2008-09-15 18:47 29,480 --a------ C:\WINDOWS\system32\msxml3a.dll

2008-09-15 18:48 . 2008-09-15 18:49 <DIR> d-------- C:\Arquivos de programas\CyberLink

2008-09-15 18:47 . 2008-09-15 18:47 353,576 --a------ C:\WINDOWS\system32\msvcr71.dll

2008-09-14 13:39 . 2008-09-14 13:39 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\GRETECH

2008-09-14 13:38 . 2008-09-14 13:38 <DIR> d-------- C:\Documents and Settings\Conjuu\Dados de aplicativos\GRETECH

2008-09-14 13:38 . 2008-09-14 13:38 <DIR> d-------- C:\Arquivos de programas\GRETECH

2008-09-13 19:26 . 2008-09-16 01:16 <DIR> d-------- C:\Documents and Settings\Conjuu\Dados de aplicativos\BSplayer Pro

2008-09-13 19:25 . 2008-09-13 19:25 <DIR> d-------- C:\Arquivos de programas\Webteh

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-13 23:43 --------- d-----w C:\Arquivos de programas\Steam

2008-09-23 14:16 --------- d-----w C:\Arquivos de programas\Silkroad

2008-09-18 17:02 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Adobe

2008-09-17 04:03 --------- d-----w C:\Documents and Settings\Conjuu\Dados de aplicativos\HPAppData

2008-09-15 20:49 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information

2008-09-15 20:47 505,128 ----a-w C:\WINDOWS\system32\msvcp71.dll

2008-09-06 20:00 198,850 ----a-w C:\WINDOWS\ADDONS SITECS (NONSTEAM) Uninstaller.exe

2008-09-06 20:00 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Thraex Software

2008-09-06 00:56 --------- d-----w C:\Arquivos de programas\eMule

2008-09-05 18:54 --------- d-----w C:\Arquivos de programas\ABC Amber Access Converter

2008-09-01 01:26 --------- d-----w C:\Documents and Settings\Conjuu\Dados de aplicativos\mIRC

2008-09-01 00:52 --------- d-----w C:\Arquivos de programas\mIRC

2008-08-31 22:23 --------- d-----w C:\Arquivos de programas\Microsoft SQL Server

2008-08-31 22:23 --------- d-----w C:\Arquivos de programas\Friendship

2008-08-31 22:09 --------- d-----w C:\Arquivos de programas\MySQL

2008-08-31 20:04 --------- d-----w C:\Documents and Settings\Conjuu\Dados de aplicativos\SmartFTP

2008-08-31 20:04 --------- d-----w C:\Arquivos de programas\SmartFTP Client

2008-08-31 20:03 --------- d-----w C:\Arquivos de programas\SmartFTP Client 3.0 Setup Files

2008-08-31 17:34 --------- d-----w C:\Arquivos de programas\xBaseView

2008-08-31 16:34 --------- d-----w C:\Arquivos de programas\Filesland

2008-08-27 15:32 --------- d-----w C:\Documents and Settings\Conjuu\Dados de aplicativos\HP

2008-08-26 22:50 --------- d-----w C:\Arquivos de programas\SRO TaxI TooL

2008-08-26 17:25 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\WEBREG

2008-08-26 17:24 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\HPSSUPPLY

2008-08-26 17:24 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\HP

2008-08-26 17:24 --------- d-----w C:\Arquivos de programas\HP

2008-08-26 17:23 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\HP Product Assistant

2008-08-26 17:22 --------- d-----w C:\Arquivos de programas\Arquivos comuns\HP

2008-08-26 17:21 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Hewlett-Packard

2008-08-23 18:22 --------- d-----w C:\Documents and Settings\Conjuu\Dados de aplicativos\teamspeak2

2008-08-23 18:22 --------- d-----w C:\Arquivos de programas\Teamspeak2_RC2

2008-08-23 17:10 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\nView_Profiles

2008-08-23 14:48 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\NVIDIA

2008-08-22 17:39 --------- d-----w C:\Arquivos de programas\Realtek Sound Manager

2008-08-22 17:39 --------- d-----w C:\Arquivos de programas\Realtek AC97

2008-08-22 17:39 --------- d-----w C:\Arquivos de programas\AvRack

2008-08-22 17:22 --------- d-----w C:\Arquivos de programas\Arquivos comuns\InstallShield

2008-08-22 17:16 --------- d-----w C:\Arquivos de programas\microsoft frontpage

2008-08-22 17:14 --------- d-----w C:\Arquivos de programas\Serviços on-line

2008-08-22 17:14 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Serviços

2008-07-19 01:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll

2008-07-19 01:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe

2008-07-19 01:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll

2008-07-19 01:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll

2008-07-19 01:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll

2008-07-19 01:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll

2008-07-19 01:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll

2008-07-19 01:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

"Steam"="c:\arquivos de programas\steam\steam.exe" [2008-10-08 1410296]

"MSMSGS"="C:\Arquivos de programas\Messenger\msmsgs.exe" [2004-08-04 1667584]

"Flaw great"="C:\DOCUME~1\Conjuu\DADOSD~1\ADMINB~1\Owns extra 01.exe" [2008-10-13 524800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 13529088]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 86016]

"HP Software Update"="C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]

"RemoteControl8"="C:\Arquivos de programas\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]

"PDVD8LanguageShortcut"="C:\Arquivos de programas\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]

"BDRegion"="C:\Arquivos de programas\Cyberlink\Shared Files\brs.exe" [2008-05-19 91432]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"Adobe Reader Speed Launcher"="C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"InvisibleIPMap"="C:\Arquivos de programas\Invisible IP Map\InvisibleIP.exe" [2007-09-18 2475520]

"file wave user bat"="C:\Documents and Settings\All Users\Dados de aplicativos\Mail For File Wave\Junk Dent.exe" [2008-10-13 970752]

"SoundMan"="SOUNDMAN.EXE" [2005-10-24 C:\WINDOWS\soundman.exe]

"nwiz"="nwiz.exe" [2008-05-02 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\

HP Digital Imaging Monitor.lnk - C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]

Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\SmartFTP Client\\SmartFTP.exe"=

"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"C:\\Arquivos de programas\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};C:\Arquivos de programas\CyberLink\PowerDVD8\000.fcl [2008-05-15 13:07 61424]

S3 NTProcDrv;Process creation detector for NT.;D:\internet\bot\NtProcDrv.sys [2005-02-23 3584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ecf0eee6-7070-11dd-8445-806d6172696f}]

\Shell\AutoRun\command - E:\Launch.exe

*Newly Created Service* - PROCEXP90

.

Conteúdo da pasta 'Tarefas Agendadas'

2008-10-14 C:\WINDOWS\Tasks\A632900F958901D3.job

- c:\docume~1\conjuu\dadosd~1\adminb~1\Binddrvbleh.exe [2008-10-13 16:42]

.

- - - - ORFÃOS REMOVIDOS - - - -

WebBrowser-{21FA44EF-376D-4D53-9B0F-8A89D3229068} - (no file)

.

------- Scan Suplementar -------

.

FireFox -: Profile - C:\Documents and Settings\Conjuu\Dados de aplicativos\Mozilla\Firefox\Profiles\0yigpply.default\

FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com.br/

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-13 21:51:23

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]

"ImagePath"="\"C:\Arquivos de programas\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Arquivos de programas\MySQL\MySQL Server 5.0\my.ini\" MySQL"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]

"ImagePath"="\??\C:\Arquivos de programas\CyberLink\PowerDVD8\000.fcl"

.

Tempo para conclusão: 2008-10-13 21:52:52

ComboFix-quarantined-files.txt 2008-10-13 23:52:48

Pré-execução: 7 pasta(s) 34.217.910.272 bytes disponíveis

Pós execução: 11 pasta(s) 34,702,622,720 bytes disponíveis

210 --- E O F --- 2008-09-15 21:11:29

conju · Outubro 14, 2008

Preciso de ajuda para remover o IEXPLORE.EXE do gerenciador de tarefas. Grato

Mário Monteiro · Outubro 14, 2008

Finalizando tarefa nao resolve?

conju · Outubro 14, 2008

nao... estou finalizando ele, imediatamente ele ja aparece de novo, as vezes quando eu tento finalizar eles (pois sao 2 processos), por um breve momento, menos de 1 segundo, surge um outro processo desconhecido e ja some.

Mario, voce conhece algum metodo para resolver esse problema, creio que seja algum spyware.

aguardo sua resposta, te mais

jgarcia · Outubro 14, 2008

Opa conju,

Siga as instruções:

1. Abra o Bloco de Notas -> Copie (Control + C) e Cole (Control + V) todo o texto incluído no "Quote":

File::
C:\Documents and Settings\All Users\Dados de aplicativos\Mail For File Wave\Junk Dent.exe

C:\DOCUME~1\Conjuu\DADOSD~1\ADMINB~1\Owns extra 01.exe

c:\docume~1\conjuu\dadosd~1\adminb~1\Binddrvbleh.exe

C:\WINDOWS\Tasks\A632900F958901D3.job

E:\Launch.exe

Folder::

C:\Documents and Settings\All Users\Dados de aplicativos\Mail For File Wave

C:\Documents and Settings\Conjuu\Dados de aplicativos\Admin Barb

C:\Arquivos de programas\Admin Barb

C:\WINDOWS\system32\CatRoot_bak

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Flaw great"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"file wave user bat"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000000

"FirewallOverride"=dword:00000000

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 1 (0x0)

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ecf0eee6-7070-11dd-8445-806d6172696f}]

ATENÇÃO: O script acima foi elaborado especificamente para a infecção contida neste computador. Utilizá-lo em outra máquina poderá originar graves problemas ao usuário.

2. Salve o arquivo como CFScript.txt;

3. Tal como exemplificado na foto abaixo, arraste o arquivo CFScript.txt para o ComboFix.exe.

4. Ao término do processo a ferramenta irá gerar um log. Poste-o (C:\ComboFix.txt) em sua próxima resposta, juntamente com um novo log do HijackThis.

Abraços.

PS.: Execute a ação com o seu pendrive conectado ao PC.

conju · Outubro 15, 2008

segui suas orientacoes aqui esta o log do combofix:

ComboFix 08-10-12.01 - Conjuu 2008-10-14 23:38:00.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.738 [GMT -2:00]

Executando de: C:\Documents and Settings\Conjuu\Meus documentos\ComboFix.exe

Comandos utilizados :: C:\Documents and Settings\Conjuu\Meus documentos\CFScript.txt

* Criado um novo ponto de restauro

ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!

FILE ::

c:\docume~1\conjuu\dadosd~1\adminb~1\Binddrvbleh.exe

C:\DOCUME~1\Conjuu\DADOSD~1\ADMINB~1\Owns extra 01.exe

C:\Documents and Settings\All Users\Dados de aplicativos\Mail For File Wave\Junk Dent.exe

C:\WINDOWS\Tasks\A632900F958901D3.job

E:\Launch.exe

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Arquivos de programas\Admin Barb

c:\docume~1\conjuu\dadosd~1\adminb~1\Binddrvbleh.exe

C:\DOCUME~1\Conjuu\DADOSD~1\ADMINB~1\Owns extra 01.exe

C:\Documents and Settings\All Users\Dados de aplicativos\Mail For File Wave

C:\Documents and Settings\All Users\Dados de aplicativos\Mail For File Wave\Junk Dent.exe

C:\Documents and Settings\Conjuu\Dados de aplicativos\Admin Barb

C:\Documents and Settings\Conjuu\Dados de aplicativos\Admin Barb\0

C:\Documents and Settings\Conjuu\Dados de aplicativos\Admin Barb\Binddrvbleh.exe

C:\Documents and Settings\Conjuu\Dados de aplicativos\Admin Barb\khvglesh.exe

C:\Documents and Settings\Conjuu\Dados de aplicativos\Admin Barb\Owns extra 01.exe

C:\Documents and Settings\Conjuu\Dados de aplicativos\Admin Barb\SpamHopeJugsIso.exe

C:\WINDOWS\system32\CatRoot_bak

C:\WINDOWS\Tasks\A632900F958901D3.job

.

(((((((((((((((( Arquivos/Ficheiros criados de 2008-09-15 to 2008-10-15 ))))))))))))))))))))))))))))

.

2008-10-14 12:41 . 2008-10-14 12:41 <DIR> d-------- C:\Documents and Settings\Conjuu\Dados de aplicativos\Malwarebytes

2008-10-14 12:41 . 2008-10-14 12:41 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Malwarebytes

2008-10-14 12:41 . 2008-10-14 12:42 <DIR> d-------- C:\Arquivos de programas\Malwarebytes' Anti-Malware

2008-10-14 12:41 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-10-14 12:41 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-10-14 12:11 . 2008-10-14 12:13 <DIR> d-------- C:\Arquivos de programas\Marcos Velasco Security