[Resolvido!] Janelas abrindo

sgtfonseca · Dezembro 24, 2008

Eu tava procurando algumas coisas aqui na net e executei um programa e acho que era algum spyware.

Agora fica abrindo uma página de um cassino e de vez em quando tb aparece algo como se fosse pra scannear, como se fosse um antirus!

Ta ai o log do HijackThis!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:16:40, on 23/12/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cmpe.exe

C:\Arquivos de programas\Canon\IJPLM\IJPLMSVC.EXE

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\Arquivos de programas\Spyware Terminator\sp_rsser.exe

C:\Arquivos de programas\Spyware Terminator\SpywareTerminatorShield.exe

C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\explorer.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\WINDOWS\system32\rundll32.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\Documents and Settings\88248204\Configurações locais\Temporary Internet Files\Content.IE5\EDRRVEGT\HiJackThis[1].exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [sMSERIAL] C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM\..\Run: [Office XP crack (nao remover)] C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Office10\zera_oxp.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe

O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe

O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Arquivos de programas\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon

O4 - HKLM\..\Run: [desp2k] C:\Arquivos de programas\Oi Velox\Manager\desp2k.exe

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [spywareTerminator] "C:\Arquivos de programas\Spyware Terminator\SpywareTerminatorShield.exe"

O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/...ash/swflash.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A9D6F7C8-EDCB-42A1-BE6A-92AB6684154A}: NameServer = 200.165.132.147 200.165.132.155

O20 - AppInit_DLLs: nsrobg.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Context Manager Process Extension (cmpe) - LightComm - C:\WINDOWS\system32\cmpe.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Arquivos de programas\Canon\IJPLM\IJPLMSVC.EXE

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Arquivos de programas\Spyware Terminator\sp_rsser.exe

--

End of file - 6806 bytes

E ai o log do ComboFix!

ComboFix 08-12-23.01 - 88248204 2008-12-23 21:48:50.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1046.18.503.196 [GMT -2:00]

Running from: c:\documents and settings\88248204\Meus documentos\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\88248204\Configurações locais\Temporary Internet Files\fbk.sts

c:\windows\system32\drivers\7ffaa03.sys

c:\windows\system32\drivers\npf.sys

c:\windows\system32\elifdcsr.dll

c:\windows\system32\lRBKnnmp.ini

c:\windows\system32\lRBKnnmp.ini2

c:\windows\system32\MEGATRON.ini

c:\windows\system32\nsrobg.dll

c:\windows\system32\packet.dll

c:\windows\system32\pdowwiem.dll

c:\windows\system32\pmnnKBRl.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\wpcap.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

-------\Service_7ffaa03

-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2008-11-23 to 2008-12-23 )))))))))))))))))))))))))))))))

.

2008-12-23 20:05 . 2008-12-23 21:27 <DIR> d-------- c:\documents and settings\88248204\Dados de aplicativos\Spyware Terminator

2008-12-23 20:05 . 2008-12-23 20:05 141,312 --a------ c:\windows\system32\drivers\sp_rsdrv2.sys

2008-12-23 20:04 . 2008-12-23 21:42 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Spyware Terminator

2008-12-23 20:04 . 2008-12-23 21:27 <DIR> d-------- c:\arquivos de programas\Spyware Terminator

2008-12-23 19:28 . 2008-12-23 19:28 91 --a------ c:\windows\wininit.ini

2008-12-23 17:06 . 2008-12-23 17:06 58,880 --a------ c:\windows\system32\hggyaxuu.dll.ren

2008-12-23 17:06 . 2008-12-23 17:06 44,032 --a------ C:\yuqpba.exe

2008-12-23 17:06 . 2008-12-23 17:06 44,032 --a------ c:\windows\Ekesup.dll

2008-12-23 17:06 . 2008-12-23 17:06 2 --a------ C:\1078485700

2008-12-22 18:18 . 2008-12-22 18:18 <DIR> d-------- c:\arquivos de programas\MSXML 4.0

2008-12-22 18:03 . 2008-05-09 08:55 512,000 -----c--- c:\windows\system32\dllcache\jscript.dll

2008-12-22 18:03 . 2008-05-09 08:55 430,080 -----c--- c:\windows\system32\dllcache\vbscript.dll

2008-12-22 18:03 . 2008-05-09 08:55 180,224 -----c--- c:\windows\system32\dllcache\scrobj.dll

2008-12-22 18:03 . 2008-05-09 08:55 172,032 -----c--- c:\windows\system32\dllcache\scrrun.dll

2008-12-22 18:03 . 2008-05-08 09:24 155,648 -----c--- c:\windows\system32\dllcache\wscript.exe

2008-12-22 18:03 . 2008-05-09 06:45 135,168 -----c--- c:\windows\system32\dllcache\cscript.exe

2008-12-22 18:03 . 2008-05-09 08:55 90,112 -----c--- c:\windows\system32\dllcache\wshext.dll

2008-12-22 17:06 . 2008-12-22 17:09 <DIR> d-------- c:\arquivos de programas\GbPlugin

2008-12-22 17:04 . 2008-12-22 17:04 <DIR> d-------- c:\windows\Sun

2008-12-22 16:54 . 2008-12-22 16:53 410,984 --a------ c:\windows\system32\deploytk.dll

2008-12-22 16:54 . 2008-12-22 16:53 73,728 --a------ c:\windows\system32\javacpl.cpl

2008-12-22 16:53 . 2008-12-22 16:53 <DIR> d-------- c:\arquivos de programas\Java

2008-12-22 13:13 . 2008-12-22 13:13 <DIR> d-------- c:\arquivos de programas\TeXnicCenter

2008-12-22 13:13 . 2006-05-28 16:39 82,432 --a------ c:\windows\system32\msxml4r.dll

2008-12-22 13:13 . 2006-05-28 16:39 44,544 --a------ c:\windows\system32\msxml4a.dll

2008-12-22 13:12 . 2008-12-22 13:12 <DIR> d-------- c:\arquivos de programas\Ghostgum

2008-12-22 13:07 . 2008-12-22 13:07 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\MiKTeX

2008-12-22 12:56 . 2008-12-22 13:02 <DIR> d-------- c:\arquivos de programas\MiKTeX 2.7

2008-12-22 01:39 . 2008-12-22 17:02 43 --a------ c:\windows\gswin32.ini

2008-12-21 17:04 . 2008-12-21 17:04 <DIR> d-------- c:\arquivos de programas\gs

2008-12-21 13:19 . 2008-12-21 13:19 <DIR> d-------- c:\documents and settings\88248204\Dados de aplicativos\DivX

2008-12-21 13:16 . 2008-12-21 13:17 <DIR> d-------- c:\arquivos de programas\DivX

2008-12-20 12:27 . 2008-12-22 17:06 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\GbPlugin

2008-12-20 10:52 . 2008-12-20 10:56 <DIR> d-------- c:\windows\ServicePackFiles

2008-12-19 14:17 . 2008-12-20 10:55 <DIR> d-------- c:\windows\system32\bits

2008-12-19 14:17 . 2008-12-20 10:55 <DIR> d-------- c:\windows\l2schemas

2008-12-19 14:04 . 2008-04-13 14:36 144,384 --------- c:\windows\system32\drivers\hdaudbus.sys

2008-12-19 14:04 . 2008-04-13 16:36 79,232 --a------ c:\windows\system32\drivers\sdbus.sys

2008-12-19 14:04 . 2008-04-13 23:51 41,856 --a------ c:\windows\system32\drivers\amdk7.sys

2008-12-19 14:04 . 2008-04-13 23:57 40,448 --a------ c:\windows\system32\drivers\intelppm.sys

2008-12-19 14:04 . 2008-04-13 16:36 15,488 --a------ c:\windows\system32\drivers\mssmbios.sys

2008-12-19 14:04 . 2008-04-13 16:56 12,288 --a------ c:\windows\system32\drivers\tunmp.sys

2008-12-19 14:04 . 2008-04-13 16:40 11,904 --a------ c:\windows\system32\drivers\sffdisk.sys

2008-12-19 14:04 . 2008-04-13 16:40 11,008 --a------ c:\windows\system32\drivers\sffp_sd.sys

2008-12-19 14:03 . 2008-04-14 00:20 409,088 --a------ c:\windows\system32\qmgr.dll

2008-12-19 14:03 . 2008-06-14 15:34 272,384 --------- c:\windows\system32\drivers\bthport.sys

2008-12-19 14:03 . 2008-04-13 16:53 264,832 --a------ c:\windows\system32\drivers\http.sys

2008-12-19 14:03 . 2008-04-13 16:32 129,792 --a------ c:\windows\system32\drivers\fltmgr.sys

2008-12-19 14:03 . 2008-04-13 16:53 36,608 --a------ c:\windows\system32\drivers\ip6fw.sys

2008-12-19 14:03 . 2008-04-13 16:45 30,208 --a------ c:\windows\system32\drivers\usbehci.sys

2008-12-19 13:56 . 2008-08-14 11:24 2,193,408 --a------ c:\windows\system32\ntoskrnl.exe

2008-12-19 13:48 . 2008-12-19 15:10 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\NOS

2008-12-19 13:48 . 2008-12-19 15:10 <DIR> d-------- c:\arquivos de programas\NOS

2008-12-19 13:12 . 2008-12-19 15:11 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2008-12-19 13:12 . 2008-12-19 15:09 <DIR> d-------- c:\arquivos de programas\Spybot - Search & Destroy

2008-12-19 12:59 . 2008-12-23 19:31 <DIR> d-------- c:\arquivos de programas\Mozilla Firefox 3.1 Beta 2

2008-12-19 12:59 . 2008-12-19 12:59 0 --a------ c:\windows\nsreg.dat

2008-12-19 12:29 . 2008-12-19 14:02 <DIR> d-------- c:\documents and settings\88248204\Dados de aplicativos\Winamp

2008-12-19 12:29 . 2008-12-19 12:30 <DIR> d-------- c:\arquivos de programas\Winamp

2008-11-23 19:03 . 2008-11-23 19:03 268 --ah----- C:\sqmdata13.sqm

2008-11-23 19:03 . 2008-11-23 19:03 244 --ah----- C:\sqmnoopt13.sqm

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-23 23:29 --------- d-----w c:\documents and settings\88248204\Dados de aplicativos\Lightcomm

2008-12-23 21:38 --------- d-----w c:\arquivos de programas\eMule

2008-12-22 21:39 --------- d-----w c:\arquivos de programas\Google

2008-12-20 20:39 --------- d-----w c:\arquivos de programas\Megacubo

2008-12-20 20:32 --------- d-----w c:\arquivos de programas\MSN Messenger

2008-12-19 17:15 --------- d-----w c:\arquivos de programas\Arquivos comuns\Adobe

2008-12-19 15:44 --------- d-----w c:\documents and settings\88248204\Dados de aplicativos\AdobeUM

2008-11-21 21:47 524,288 ----a-w c:\windows\system32\DivXsm.exe

2008-11-21 21:47 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll

2008-11-21 21:46 200,704 ----a-w c:\windows\system32\ssldivx.dll

2008-11-21 21:46 1,044,480 ----a-w c:\windows\system32\libdivx.dll

2008-11-21 21:44 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe

2008-11-21 21:44 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll

2008-11-05 00:30 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Apple Computer

2008-11-05 00:30 --------- d-----w c:\arquivos de programas\QuickTime Alternative

2008-11-05 00:00 4,418,219 ----a-w c:\arquivos de programas\megacubo_log.log

2008-11-04 23:49 --------- d-----w c:\documents and settings\88248204\Dados de aplicativos\TeamViewer

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-23 12:37 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-10-16 20:23 826,368 ----a-w c:\windows\system32\wininet.dll

2008-10-16 16:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 16:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 16:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 16:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 16:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 16:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 16:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 16:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-03 10:04 247,326 ----a-w c:\windows\system32\strmdll.dll

2008-09-30 18:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll

2008-07-09 22:28 16,752 ----a-w c:\documents and settings\88248204\Dados de aplicativos\GDIPFONTCACHEV1.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-25 68856]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"MSMSGS"="c:\arquivos de programas\Messenger\msmsgs.exe" [2008-04-14 1695232]

"SpybotSD TeaTimer"="c:\arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-10-12 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-10-12 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-10-12 137752]

"SMSERIAL"="c:\arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-29 638976]

"Office XP crack (nao remover)"="c:\arquivos de programas\Arquivos comuns\Microsoft Shared\Office10\zera_oxp.exe" [2001-06-16 110639]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"tsnp2std"="c:\windows\tsnp2std.exe" [2006-05-22 262144]

"snp2std"="c:\windows\vsnp2std.exe" [2006-05-15 675840]

"Easy-PrintToolBox"="c:\arquivos de programas\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2006-10-16 398944]

"desp2k"="c:\arquivos de programas\Oi Velox\Manager\desp2k.exe" [2006-08-03 65536]

"avast!"="c:\arquiv~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]

"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre6\bin\jusched.exe" [2008-12-22 136600]

"SpywareTerminator"="c:\arquivos de programas\Spyware Terminator\SpywareTerminatorShield.exe" [2008-12-23 1783808]

"RTHDCPL"="RTHDCPL.EXE" [2007-11-30 c:\windows\RTHDCPL.exe]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

Microsoft Office.lnk - c:\arquivos de programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=nsrobg.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\eMule\\emule.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"c:\\Arquivos de programas\\Megacubo\\megacubo.exe"=

"c:\\WINDOWS\\system32\\rtcshare.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-07-14 111184]

R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\c:\windows\system32\drivers\sp_rsdrv2.sys [2008-12-23 141312]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-07-14 20560]

R2 cmpe;Context Manager Process Extension;c:\windows\system32\cmpe.exe [2007-02-26 61440]

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\DRIVERS\RMSPPPOE.SYS [2002-06-10 31232]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f384561-9eb8-11dd-af3d-0019dbe18976}]

\Shell\Auto\command - fun.xls.exe

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe

.

Contents of the 'Scheduled Tasks' folder

2008-12-23 c:\windows\Tasks\blcdpslx.job

- c:\windows\system32\rundll32.exe [2008-04-14 00:21]

.

- - - - ORPHANS REMOVED - - - -

BHO-{026ec4cd-7d17-4474-b6d5-1e8538acb5c8} - (no file)

BHO-{ceba44a8-6b84-4772-b273-1d91b243fd7a} - c:\windows\system32\pmnnKBRl.dll

Notify-hggyaxuu - hgGyaxuU.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com.br/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office10\EXCEL.EXE/3000

TCP: {A9D6F7C8-EDCB-42A1-BE6A-92AB6684154A} = 200.165.132.147 200.165.132.155

c:\windows\Downloaded Program Files\gbpdist.dll - O16 -: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931}

hxxps://www14.bancobrasil.com.br/plugin/GbpDist.cab

c:\windows\Downloaded Program Files\gbpdist.inf

FF - ProfilePath - c:\documents and settings\88248204\Dados de aplicativos\Mozilla\Firefox\Profiles\sqci9766.default\

FF - component: c:\documents and settings\88248204\Dados de aplicativos\Mozilla\Firefox\Profiles\sqci9766.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E886C}\components\GbMzhBb.dll

FF - component: c:\documents and settings\88248204\Dados de aplicativos\Mozilla\Firefox\Profiles\sqci9766.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E8874}\components\GbMzhAbn.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-23 21:53:46

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

c:\arquivos de programas\Alwil Software\Avast4\ashServ.exe

c:\arquivos de programas\Canon\IJPLM\ijplmsvc.exe

c:\arquivos de programas\Java\jre6\bin\jqs.exe

c:\windows\system32\igfxsrvc.exe

c:\arquivos de programas\Spyware Terminator\sp_rsser.exe

c:\windows\system32\wscntfy.exe

c:\arquivos de programas\Alwil Software\Avast4\Setup\avast.setup

c:\arquivos de programas\Internet Explorer\iexplore.exe

.

**************************************************************************

.

Completion time: 2008-12-23 21:59:38 - machine was rebooted

ComboFix-quarantined-files.txt 2008-12-23 23:59:34

Pre-Run: 10 pasta(s) 10.728.476.672 bytes dispon¡veis

Post-Run: 10 pasta(s) 10,797,457,408 bytes dispon¡veis

225 --- E O F --- 2008-12-22 20:21:03

Agradeço desde já a ajuda!

PedroN · Dezembro 24, 2008

Olá sgtfonseca, seja bem vindo(a) ao Fórum!

- Desinstale o programa hijackthis, e instale novamente mais dessa vez extraia no seu desktop.

Obs:. Não ultilize o combofix sozinho, ela é uma ferramenta muito perigosa que pode danificar o seu computador, ela so deve ser usada sobre autorização de algum analista de log.

Sugiro que imprima ou salve os procedimentos abaixo, e não use a internet até terminado o procedimento.

Selecione e copie o texto dentro do QUOTE (caixa cinza) abaixo. Abra o Bloco de notas e cole o que copiou. Salve então, na área de trabalho, com o nome de CFScript.txt.

File::
C:\sqmdata13.sqm

Folder::

c:\documents and settings\88248204\Dados de aplicativos\GDIPFONTCACHEV1.DAT

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f384561-9eb8-11dd-af3d-0019dbe18976}]

Esse script foi elaborado somente para este computador, de acordo com os arquivos e chaves presentes não use-o em outro computador, pos pode trazer danos.

Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo.

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando.

Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.

Poste-o junto com o novo log do hijackthis

-------------------------------------------

Com o navegador Internet Explorer, acesse o Kaspersky Online Scanner e faça um scan online seguindo o tutorial abaixo.

Tutorial Kaspersky Online Scanner

Ao término do scan, salve o relatório com a extensão .txt (como mostra no final do tutorial) e poste em sua próxima resposta.

sgtfonseca · Dezembro 27, 2008

Fiz o que você falou np combo fix, ele comecou a rodar, reiniciou o pc mas não tem nenhum arquivo .txt salvo.

O log do HijackThis tá aí!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:57, on 2008-12-27

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\savedump.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe

C:\WINDOWS\tsnp2std.exe

C:\WINDOWS\vsnp2std.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Arquivos de programas\Oi Velox\Manager\desp2k.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\ARQUIV~1\SPYWAR~1\SpywareTerminatorShield.exe

C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\cmpe.exe

C:\Arquivos de programas\Canon\IJPLM\IJPLMSVC.EXE

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Spyware Terminator\sp_rsser.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\88248204\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {026ec4cd-7d17-4474-b6d5-1e8538acb5c8} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\ARQUIV~1\GbPlugin\gbiehabn.dll

O2 - BHO: (no name) - {ceba44a8-6b84-4772-b273-1d91b243fd7a} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [sMSERIAL] C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM\..\Run: [Office XP crack (nao remover)] C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Office10\zera_oxp.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe

O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe

O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Arquivos de programas\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon

O4 - HKLM\..\Run: [desp2k] C:\Arquivos de programas\Oi Velox\Manager\desp2k.exe

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [spywareTerminator] "C:\ARQUIV~1\SPYWAR~1\SpywareTerminatorShield.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k