[Resolvido!] Processos estranhos

[roberta alana 0]

estou com processos estranhos no pc, são os seguintes:

lsass.exe

imgmg.exe e wscntfx.exe

 

aí tá o log do hijack

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:15:50, on 17/12/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Alwil Software\Avast4\ashDisp.exe

C:\WINDOWS\system32\wscntfx.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - (no file)

O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Arquivos de programas\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - C:\ARQUIV~1\FreshDevices\FreshDownload\fdiebar.dll

O4 - HKLM\..\Run: [avast!] "C:\Arquivos de programas\Alwil Software\Avast4\ashDisp.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [wscntfx.exe] C:\WINDOWS\system32\wscntfx.exe

O4 - HKLM\..\Run: [imgmg.exe] C:\WINDOWS\system32\imgmg.exe

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [explorer] C:\WINDOWS\system32\process.exe

O4 - HKCU\..\Run: [idmaq32.exe] C:\WINDOWS\system32\idmaq32.exe

O4 - HKUS\S-1-5-21-448539723-1645522239-1801674531-500\..\Run: [ctfmon.exe] ctfmon.exe (User '?')

O4 - HKUS\S-1-5-21-448539723-1645522239-1801674531-500\..\Run: [explorer] C:\WINDOWS\system32\process.exe (User '?')

O4 - HKUS\S-1-5-21-448539723-1645522239-1801674531-500\..\Run: [idmaq32.exe] C:\WINDOWS\system32\idmaq32.exe (User '?')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User '?')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: FreshDownload - {3EA0FF1C-D61E-43AF-B189-857FC94413BF} - C:\Arquivos de programas\FreshDevices\FreshDownload\fd.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1221510508703

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL/jdk/6u...ows-i586-jc.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{93A38ADE-A771-4BA2-A015-87F91A39AE6A}: NameServer = 192.168.1.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{93A38ADE-A771-4BA2-A015-87F91A39AE6A}: NameServer = 192.168.1.1

O17 - HKLM\System\CS2\Services\Tcpip\..\{93A38ADE-A771-4BA2-A015-87F91A39AE6A}: NameServer = 192.168.1.1

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\Skype4COM.dll

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

 

--

End of file - 7615 bytes

[MGuitar 11]

Seu log está infectado por vários trojans banker. Este trojan rouba suas senhas e as envia para um cracker. Sugiro que não acesse Orkut, MSN, bancos online, enfim, lugares onde tenha que colocar informações pessoais até removermos a infecção daí. Recomendo também que troque todas as senhas após completarmos a limpeza de sua máquina.

 

- Faça o download do BankerFix e salve-o no desktop;

 

● Desabilite o seu antivírus temporariamente para não detectar a ferramenta como vírus;

● Dê um duplo clique em bankerfix.exe;

● Surgirá uma mensagem dizendo que o mesmo será baixado via internet;

● Clique em OK > OK. Tecle Enter e aguarde o término do scan;

● Terminado o scan, leia a mensagem na tela e tecle Enter novamente.

● Será gerado um log em C:\LinhaDefensiva\relatorio.txt.

 

Cole este log em sua próxima resposta, juntamente com um novo log do HijackThis.

 

Delete a pasta C:\LinhaDefensiva após colar seu log aqui.

[Edultra 13]

O certo seria abrir um topico la em:

 

Segurança e Malwares

 

Mandei uma mp para um moderador mover este tópico para lá.

[Ted k' 126]

Movido de Dúvidas Gerais :seta: Segurança & Malwares

[roberta alana 0]

bankerfix

 

BankerFix 3.0 VALKYRIE - Removedor de Bankers

Linha Defensiva | http://www.linhadefensiva.org

http://www.linhadefensiva.org/bankerfix/

-------------------------------------------------------

Data: 2008-12-17 - 10:35

-------------------------------------------------------

Lista de Definição: 2008-12-14-1 | CORE: 2008-12-14-1

=======================================================

 

Arquivo infectado detectado: C:\WINDOWS\system32\configex.dll

Arquivo infectado removido com sucesso!

 

Arquivo infectado detectado: C:\WINDOWS\system32\wscntfx.exe

Arquivo infectado removido com sucesso!

 

Arquivo infectado detectado: C:\WINDOWS\system32\imglog.exe

Arquivo infectado removido com sucesso!

 

 

 

----- Fim -------------------------

 

 

hijack

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:36:30, on 17/12/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Alwil Software\Avast4\ashDisp.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - (no file)

O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Arquivos de programas\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - C:\ARQUIV~1\FreshDevices\FreshDownload\fdiebar.dll

O4 - HKLM\..\Run: [avast!] "C:\Arquivos de programas\Alwil Software\Avast4\ashDisp.exe"

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User '?')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User '?')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: FreshDownload - {3EA0FF1C-D61E-43AF-B189-857FC94413BF} - C:\Arquivos de programas\FreshDevices\FreshDownload\fd.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1221510508703

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL/jdk/6u...ows-i586-jc.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{93A38ADE-A771-4BA2-A015-87F91A39AE6A}: NameServer = 192.168.1.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{93A38ADE-A771-4BA2-A015-87F91A39AE6A}: NameServer = 192.168.1.1

O17 - HKLM\System\CS2\Services\Tcpip\..\{93A38ADE-A771-4BA2-A015-87F91A39AE6A}: NameServer = 192.168.1.1

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\Skype4COM.dll

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

 

--

End of file - 6722 bytes

[MGuitar 11]

Delete a pasta C:\LinhaDefensiva (caso esteja aí ainda).

 

- Faça o download do ComboFix e salve-o na área de trabalho;

 

● Desative temporariamente o seu antivirus para não detectar a ferramenta como vírus;

● Duplo clique no ícone combofix.exe para iniciar o scan;

● Leia o contrato que aparecerá e clique em Sim para continuar;

● Abrirá uma janela do Console de Recuperação, clique em Sim para instalar. Se aparecer outra janela do Console, clique em OK > Sim;

● Aguarde enquanto o ComboFix faz o scan;

● Se ocorrer algum problema durante o scan, reinicie seu computador em Modo de Segurança e repita o procedimento;

● Não clique na janela do ComboFix e procure não utilizar o teclado também, para não atrapalhar a varredura da ferramenta;

● Se quiser sair ou parar o ComboFix, tecle N;

● Quando terminar seu micro será reiniciado. Após o reinicio, a ferramenta executará novamente, aguarde;

● Será gerado um log em C:\ComboFix.txt.

 

Cole este log em sua próxima resposta.

[roberta alana 0]

ComboFix 08-12-16.03 - Administrador 2008-12-17 15:37:49.4 - NTFSx86

 

Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe

.

 

(((((((((((((((( Arquivos/Ficheiros criados de 2008-11-17 to 2008-12-17 ))))))))))))))))))))))))))))

.

 

2008-12-17 13:45 . 2008-12-17 13:46 <DIR> d----c--- c:\arquivos de programas\MSN Messenger

2008-12-17 13:39 . 2008-12-17 13:39 <DIR> d----c--- c:\arquivos de programas\Windows Live SkyDrive

2008-12-16 21:06 . 2008-12-16 21:06 19 --a------ c:\windows\system32\neycjc@yahoo.com.br

2008-12-14 18:55 . 2008-10-03 08:04 247,326 --------- c:\windows\system32\dllcache\strmdll.dll

2008-12-12 11:11 . 2008-12-12 11:11 236 --a------ C:\sqmdata12.sqm

2008-12-12 11:11 . 2008-12-12 11:11 200 --a------ C:\sqmnoopt12.sqm

2008-12-12 11:01 . 2008-12-12 11:01 <DIR> d-------- c:\windows\system32\VIRepair

2008-12-12 10:44 . 2008-12-12 10:44 78,942 --a------ c:\windows\Icon_3.ico

2008-12-06 23:15 . 2008-12-07 00:31 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Messenger Plus!

2008-12-06 21:26 . 2008-12-17 13:46 <DIR> d----c--- c:\arquivos de programas\Messenger Plus! Live

2008-12-06 21:15 . 2008-08-09 09:24 59,728 --a------ C:\msimg32.dll

2008-12-04 23:01 . 2008-12-04 23:17 <DIR> d-------- C:\cmdcons(2)

2008-11-27 00:21 . 2008-11-27 00:21 <DIR> d-------- c:\documents and settings\Administrador\Dados de aplicativos\Netscape

2008-11-27 00:10 . 2008-11-27 00:10 <DIR> d-------- c:\documents and settings\Administrador\Dados de aplicativos\Flock

2008-11-27 00:08 . 2008-12-04 23:18 <DIR> d----c--- c:\arquivos de programas\Flock(2)

2008-11-26 23:52 . 2008-12-14 18:25 <DIR> d----c--- c:\arquivos de programas\Opera

2008-11-24 19:17 . 2008-11-24 19:18 <DIR> d----c--- c:\arquivos de programas\Ares

2008-11-24 00:08 . 2008-11-24 00:08 268 --ah----- C:\sqmdata11.sqm

2008-11-24 00:08 . 2008-11-24 00:08 244 --ah----- C:\sqmnoopt11.sqm

2008-11-23 23:41 . 2008-11-23 23:41 236 --a------ C:\sqmdata10.sqm

2008-11-23 23:41 . 2008-11-23 23:41 200 --a------ C:\sqmnoopt10.sqm

2008-11-23 14:27 . 2008-12-16 16:49 <DIR> d----c--- c:\arquivos de programas\Windows Live

2008-11-22 23:24 . 2008-11-22 23:24 236 --a------ C:\sqmdata09.sqm

2008-11-22 23:24 . 2008-11-22 23:24 200 --a------ C:\sqmnoopt09.sqm

2008-11-22 21:55 . 2008-11-23 14:36 <DIR> d----c--- c:\arquivos de programas\LimeWire

2008-11-21 10:09 . 2008-11-21 10:09 236 --a------ C:\sqmdata08.sqm

2008-11-21 10:09 . 2008-11-21 10:09 200 --a------ C:\sqmnoopt08.sqm

2008-11-20 09:10 . 2008-11-20 09:10 236 --a------ C:\sqmdata07.sqm

2008-11-20 09:10 . 2008-11-20 09:10 200 --a------ C:\sqmnoopt07.sqm

2008-11-17 20:47 . 2008-11-17 20:47 236 --a------ C:\sqmdata05.sqm

2008-11-17 20:47 . 2008-11-17 20:47 200 --a------ C:\sqmnoopt05.sqm

2008-11-17 20:47 . 2008-11-17 20:47 120 --a------ C:\sqmnoopt06.sqm

2008-11-17 20:47 . 2008-11-17 20:47 120 --a------ C:\sqmdata06.sqm

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-17 00:56 293,376 ----a-w c:\windows\system32\WISPTIS.EXE

2008-12-14 21:45 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help

2008-12-10 15:55 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\LimeWire

2008-11-23 16:20 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\McAfee

2008-11-23 06:14 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\Skype

2008-11-23 03:05 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\skypePM

2008-11-20 11:02 --------- d-----w c:\documents and settings\LocalService\Dados de aplicativos\SACore

2008-11-17 01:13 --------- dc----w c:\arquivos de programas\MessengerDiscovery

2008-11-17 01:12 --------- dc----w c:\arquivos de programas\FLV Player

2008-11-17 01:12 --------- d-----w c:\documents and settings\NetworkService\Dados de aplicativos\SACore

2008-11-17 00:59 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\WLInstaller

2008-11-11 02:07 --------- dc----w c:\arquivos de programas\Microsoft Silverlight

2008-11-08 19:18 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\SecondLife

2008-10-27 16:59 --------- dc----w c:\arquivos de programas\Yahoo!

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys

2008-10-23 12:37 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-10-23 12:37 286,720 ------w c:\windows\system32\dllcache\gdi32.dll

2008-10-18 06:37 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\TuneUp Software

2008-10-18 06:13 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\TuneUp Software

2008-10-17 03:53 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll

2008-10-17 00:53 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Zylom

2008-10-17 00:53 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\Zylom

2008-10-17 00:52 --------- dc----w c:\arquivos de programas\Zylom Games

2008-10-16 16:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 16:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll

2008-10-16 16:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 16:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll

2008-10-16 16:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 16:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll

2008-10-16 16:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 16:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll

2008-10-16 16:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll

2008-10-16 16:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 16:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 16:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe

2008-10-16 16:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 16:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 16:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll

2008-10-16 16:06 268,648 ----a-w c:\windows\system32\mucltui.dll

2008-10-16 16:06 208,744 ----a-w c:\windows\system32\muweb.dll

2008-10-16 13:15 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe

2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe

2008-10-15 16:36 337,408 ------w c:\windows\system32\dllcache\netapi32.dll

2008-10-15 07:06 633,632 ----a-w c:\windows\system32\dllcache\iexplore.exe

2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll

2008-10-12 17:30 2,560 ----a-w c:\windows\_MSRSTRT.EXE

2008-10-03 10:04 247,326 ----a-w c:\windows\system32\strmdll.dll

.

 

------- Sigcheck -------

 

2001-02-20 14:09 8192 d36a33c21eeed5a6c1daecb7c80a1909 c:\windows\system32\CTFMON.EXE

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="c:\arquivos de programas\Alwil Software\Avast4\ashDisp.exe" [2008-11-26 81000]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_2"="shell32" [X]

"nltide_3"="advpack.dll" [2008-10-16 c:\windows\system32\advpack.dll]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMHelp"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMHelp"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]

2008-09-17 09:05 210168 c:\arquivos de programas\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Orbit.lnk]

backup=c:\windows\pss\Orbit.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a--c--- 2008-06-12 03:38 34672 c:\arquivos de programas\Adobe\Reader 9.0\Reader\reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\domino]

--a------ 2006-07-04 15:16 49152 c:\windows\Domino.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

--a--c--- 2007-08-24 08:00 33648 c:\arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a--c--- 2008-05-27 11:50 413696 c:\arquivos de programas\QuickTime\QTTask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

-ra--c--- 2008-06-14 19:28 26992424 c:\arquivos de programas\Skype\Phone\Skype.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a--c--- 2008-06-10 05:27 144784 c:\arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

--a--c--- 2008-07-18 22:12 185896 c:\arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMSnap1]

--a------ 2006-07-17 12:27 49152 c:\windows\VMSnap1.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2001-02-20 14:09 8192 c:\windows\system32\CTFMON.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WMPNetworkSvc"=3 (0x3)

"WLSetupSvc"=3 (0x3)

"VideoAcceleratorService"=2 (0x2)

"UPS"=3 (0x3)

"ose"=3 (0x3)

"odserv"=3 (0x3)

"NMIndexingService"=3 (0x3)

"Microsoft Office Groove Audit Service"=3 (0x3)

"MDM"=2 (0x2)

"McAfee SiteAdvisor Service"=2 (0x2)

"iPod Service"=3 (0x3)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Ares\\Ares.exe"=

"c:\\Arquivos de programas\\LimeWire\\LimeWire.exe"=

"c:\\Arquivos de programas\\iTunes\\iTunes.exe"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

"c:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

 

 

*Newly Created Service* - USNJSVC

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2008-11-17 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\arquivos de programas\Apple Software Update\SoftwareUpdate.exe [2008-04-11 18:57]

 

2008-12-07 c:\windows\Tasks\GoogleUpdateTaskUser.job

- c:\documents and settings\Administrador\Configura []

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.terra.com.br/

uInternet Settings,ProxyOverride = *.local

IE: &Download by Orbit

IE: &Grab video by Orbit

IE: Do&wnload selected by Orbit

IE: Down&load all by Orbit

IE: E&xport to Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: {{3EA0FF1C-D61E-43AF-B189-857FC94413BF} - c:\arquivos de programas\FreshDevices\FreshDownload\fd.exe

IE: {{3EA0FF1C-D61E-43AF-B189-857FC94413BF} - c:\arquivos de programas\FreshDevices\FreshDownload\fd.exe -

TCP: {93A38ADE-A771-4BA2-A015-87F91A39AE6A} = 192.168.1.1

 

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

FF - ProfilePath - c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\cgu85kv7.default\

FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\npzylomgamesplayer.dll

FF - plugin: c:\arquivos de programas\Yahoo!\Common\npyaxmpb.dll

FF - plugin: c:\documents and settings\All Users\Dados de aplicativos\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-17 15:40:04

Windows 5.1.2600 Service Pack 3 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'winlogon.exe'(692)

c:\arquivos de programas\Stardock\Object Desktop\WindowBlinds\wbsrv.dll

.

Tempo para conclusão: 2008-12-17 15:41:05

ComboFix-quarantined-files.txt 2008-12-17 17:41:03

ComboFix2.txt 2008-12-17 12:58:24

ComboFix3.txt 2008-12-06 22:54:52

ComboFix4.txt 2008-12-05 01:05:13

ComboFix5.txt 2008-12-17 17:37:07

 

PrÚ-execuþÒo: 19 pasta(s) 34.541.109.248 bytes dispon¡veis

P¾s execuþÒo: 19 pasta(s) 34,560,937,984 bytes dispon¡veis

 

216 --- E O F --- 2008-12-17 13:49:20

[MGuitar 11]

Delete a pasta C:\Qoobox e o log C:\ComboFix.txt.

 

Selecione e copie todo o texto aqui abaixo dentro do code. Cole o texto copiado dentro do bloco de notas e salve na área de trabalho com o nome CFScript.txt

 

File::c:\windows\system32\neycjc@yahoo.com.brC:\sqmdata12.sqmC:\sqmnoopt12.sqmC:\sqmdata11.sqmC:\sqmnoopt11.sqmC:\sqmdata10.sqmC:\sqmnoopt10.sqmC:\sqmdata09.sqmC:\sqmnoopt09.sqmC:\sqmdata08.sqmC:\sqmnoopt08.sqmC:\sqmdata07.sqmC:\sqmnoopt07.sqmC:\sqmdata05.sqmC:\sqmnoopt05.sqmC:\sqmnoopt06.sqmC:\sqmdata06.sqm

 

Arraste o CFScript para o ComboFix como na imagem aqui abaixo e aguarde a execução automática da ferramenta:

 

 

● Se for solicitado à você, pressione Enter para iniciar o processo de remoção;

● Não use o mouse nem o teclado quando o ComboFix estiver rodando;

● Quando terminar, será gerado um novo log que estará em C:\ComboFix.txt;

● Talvez seu computador seja reiniciado automaticamente. Caso não ocorra, reinicie-o manualmente.

 

Na sua próxima resposta, cole o ComboFix.txt e um novo log do HijackThis.

[roberta alana 0]

ComboFix 08-12-16.03 - Administrador 2008-12-17 17:50:07.7 - NTFSx86

 

Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe

.

 

(((((((((((((((( Arquivos/Ficheiros criados de 2008-11-17 to 2008-12-17 ))))))))))))))))))))))))))))

.

 

2008-12-17 13:45 . 2008-12-17 13:46 <DIR> d----c--- c:\arquivos de programas\MSN Messenger

2008-12-17 13:39 . 2008-12-17 13:39 <DIR> d----c--- c:\arquivos de programas\Windows Live SkyDrive

2008-12-14 18:55 . 2008-10-03 08:04 247,326 --------- c:\windows\system32\dllcache\strmdll.dll

2008-12-12 11:01 . 2008-12-12 11:01 <DIR> d-------- c:\windows\system32\VIRepair

2008-12-12 10:44 . 2008-12-12 10:44 78,942 --a------ c:\windows\Icon_3.ico

2008-12-06 23:15 . 2008-12-07 00:31 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Messenger Plus!

2008-12-06 21:26 . 2008-12-17 13:46 <DIR> d----c--- c:\arquivos de programas\Messenger Plus! Live

2008-12-06 21:15 . 2008-08-09 09:24 59,728 --a------ C:\msimg32.dll

2008-12-04 23:01 . 2008-12-04 23:17 <DIR> d-------- C:\cmdcons(2)

2008-11-27 00:21 . 2008-11-27 00:21 <DIR> d-------- c:\documents and settings\Administrador\Dados de aplicativos\Netscape

2008-11-27 00:10 . 2008-11-27 00:10 <DIR> d-------- c:\documents and settings\Administrador\Dados de aplicativos\Flock

2008-11-27 00:08 . 2008-12-04 23:18 <DIR> d----c--- c:\arquivos de programas\Flock(2)

2008-11-26 23:52 . 2008-12-14 18:25 <DIR> d----c--- c:\arquivos de programas\Opera

2008-11-24 19:17 . 2008-11-24 19:18 <DIR> d----c--- c:\arquivos de programas\Ares

2008-11-23 14:27 . 2008-12-16 16:49 <DIR> d----c--- c:\arquivos de programas\Windows Live

2008-11-22 21:55 . 2008-11-23 14:36 <DIR> d----c--- c:\arquivos de programas\LimeWire

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-17 00:56 293,376 ----a-w c:\windows\system32\WISPTIS.EXE

2008-12-14 21:45 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help

2008-12-10 15:55 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\LimeWire

2008-11-23 16:20 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\McAfee

2008-11-23 06:14 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\Skype

2008-11-23 03:05 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\skypePM

2008-11-20 11:02 --------- d-----w c:\documents and settings\LocalService\Dados de aplicativos\SACore

2008-11-17 01:13 --------- dc----w c:\arquivos de programas\MessengerDiscovery

2008-11-17 01:12 --------- dc----w c:\arquivos de programas\FLV Player

2008-11-17 01:12 --------- d-----w c:\documents and settings\NetworkService\Dados de aplicativos\SACore

2008-11-17 00:59 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\WLInstaller

2008-11-11 02:07 --------- dc----w c:\arquivos de programas\Microsoft Silverlight

2008-11-08 19:18 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\SecondLife

2008-10-27 16:59 --------- dc----w c:\arquivos de programas\Yahoo!

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys

2008-10-23 12:37 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-10-23 12:37 286,720 ------w c:\windows\system32\dllcache\gdi32.dll

2008-10-18 06:37 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\TuneUp Software

2008-10-18 06:13 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\TuneUp Software

2008-10-17 03:53 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll

2008-10-17 00:53 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Zylom

2008-10-17 00:53 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\Zylom

2008-10-17 00:52 --------- dc----w c:\arquivos de programas\Zylom Games

2008-10-16 16:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 16:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll

2008-10-16 16:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 16:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll

2008-10-16 16:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 16:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll

2008-10-16 16:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 16:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll

2008-10-16 16:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll

2008-10-16 16:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 16:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 16:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe

2008-10-16 16:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 16:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 16:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll

2008-10-16 16:06 268,648 ----a-w c:\windows\system32\mucltui.dll

2008-10-16 16:06 208,744 ----a-w c:\windows\system32\muweb.dll

2008-10-16 13:15 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe

2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe

2008-10-15 16:36 337,408 ------w c:\windows\system32\dllcache\netapi32.dll

2008-10-15 07:06 633,632 ----a-w c:\windows\system32\dllcache\iexplore.exe

2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll

2008-10-12 17:30 2,560 ----a-w c:\windows\_MSRSTRT.EXE

2008-10-03 10:04 247,326 ----a-w c:\windows\system32\strmdll.dll

.

 

------- Sigcheck -------

 

2001-02-20 14:09 8192 d36a33c21eeed5a6c1daecb7c80a1909 c:\windows\system32\CTFMON.EXE

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="c:\arquivos de programas\Alwil Software\Avast4\ashDisp.exe" [2008-11-26 81000]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_2"="shell32" [X]

"nltide_3"="advpack.dll" [2008-10-16 c:\windows\system32\advpack.dll]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMHelp"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMHelp"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]

2008-09-17 09:05 210168 c:\arquivos de programas\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Orbit.lnk]

backup=c:\windows\pss\Orbit.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a--c--- 2008-06-12 03:38 34672 c:\arquivos de programas\Adobe\Reader 9.0\Reader\reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\domino]

--a------ 2006-07-04 15:16 49152 c:\windows\Domino.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

--a--c--- 2007-08-24 08:00 33648 c:\arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a--c--- 2008-05-27 11:50 413696 c:\arquivos de programas\QuickTime\QTTask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

-ra--c--- 2008-06-14 19:28 26992424 c:\arquivos de programas\Skype\Phone\Skype.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a--c--- 2008-06-10 05:27 144784 c:\arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

--a--c--- 2008-07-18 22:12 185896 c:\arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMSnap1]

--a------ 2006-07-17 12:27 49152 c:\windows\VMSnap1.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2001-02-20 14:09 8192 c:\windows\system32\CTFMON.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WMPNetworkSvc"=3 (0x3)

"WLSetupSvc"=3 (0x3)

"VideoAcceleratorService"=2 (0x2)

"UPS"=3 (0x3)

"ose"=3 (0x3)

"odserv"=3 (0x3)

"NMIndexingService"=3 (0x3)

"Microsoft Office Groove Audit Service"=3 (0x3)

"MDM"=2 (0x2)

"McAfee SiteAdvisor Service"=2 (0x2)

"iPod Service"=3 (0x3)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Ares\\Ares.exe"=

"c:\\Arquivos de programas\\LimeWire\\LimeWire.exe"=

"c:\\Arquivos de programas\\iTunes\\iTunes.exe"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

"c:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

 

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2008-11-17 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\arquivos de programas\Apple Software Update\SoftwareUpdate.exe [2008-04-11 18:57]

 

2008-12-07 c:\windows\Tasks\GoogleUpdateTaskUser.job

- c:\documents and settings\Administrador\Configura []

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.terra.com.br/

uInternet Settings,ProxyOverride = *.local

IE: &Download by Orbit

IE: &Grab video by Orbit

IE: Do&wnload selected by Orbit

IE: Down&load all by Orbit

IE: E&xport to Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: {{3EA0FF1C-D61E-43AF-B189-857FC94413BF} - c:\arquivos de programas\FreshDevices\FreshDownload\fd.exe

IE: {{3EA0FF1C-D61E-43AF-B189-857FC94413BF} - c:\arquivos de programas\FreshDevices\FreshDownload\fd.exe -

TCP: {93A38ADE-A771-4BA2-A015-87F91A39AE6A} = 192.168.1.1

 

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

FF - ProfilePath - c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\cgu85kv7.default\

FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\npzylomgamesplayer.dll

FF - plugin: c:\arquivos de programas\Yahoo!\Common\npyaxmpb.dll

FF - plugin: c:\documents and settings\All Users\Dados de aplicativos\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-17 17:52:13

Windows 5.1.2600 Service Pack 3 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'winlogon.exe'(684)

c:\arquivos de programas\Stardock\Object Desktop\WindowBlinds\wbsrv.dll

.

Tempo para conclusão: 2008-12-17 17:53:17

ComboFix-quarantined-files.txt 2008-12-17 19:53:14

 

Pré-execução: 19 pasta(s) 34,584,948,736 bytes disponíveis

Pós execução: 19 pasta(s) 34,577,264,640 bytes disponíveis

 

194 --- E O F --- 2008-12-17 13:49:20

[roberta alana 0]

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:59:10, on 17/12/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashDisp.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - (no file)

O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Arquivos de programas\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - C:\ARQUIV~1\FreshDevices\FreshDownload\fdiebar.dll

O4 - HKLM\..\Run: [avast!] "C:\Arquivos de programas\Alwil Software\Avast4\ashDisp.exe"

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User '?')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User '?')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: FreshDownload - {3EA0FF1C-D61E-43AF-B189-857FC94413BF} - C:\Arquivos de programas\FreshDevices\FreshDownload\fd.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1221510508703

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL/jdk/6u...ows-i586-jc.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{93A38ADE-A771-4BA2-A015-87F91A39AE6A}: NameServer = 192.168.1.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{93A38ADE-A771-4BA2-A015-87F91A39AE6A}: NameServer = 192.168.1.1

O17 - HKLM\System\CS2\Services\Tcpip\..\{93A38ADE-A771-4BA2-A015-87F91A39AE6A}: NameServer = 192.168.1.1

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\Skype4COM.dll

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)

 

--

End of file - 7063 bytes

[MGuitar 11]

Execute o HijackThis e clique em Do a system scan only. Marque as entradas abaixo e clique no botão Fix Checked.

 

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

 

O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - (no file)

 

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

 

Feche o HijackThis.

 

Vá em Iniciar > Executar, digite combofix /u e tecle Enter. Caso tenha sobrado arquivos do ComboFix, delete as pastas em C;\Qoobox, C:\ComboFix, e o log em C:\ComboFix.txt.

 

No mais seus logs estão limpos.

 

Há algum problema ainda?

[roberta alana 0]

não há mais nenhum problema...

mto obrigada!! :natal_happy:

[MGuitar 11]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.