[Arquivado] wmsncs.exe - análise log combofix

DOTORE · Janeiro 4, 2009

Boa tarde a todos!

Quando inicio o windows, recebo a mensagem de que o arquivo "wmsncs.exe" não foi encontrado...

já pesquisei o assunto, e verifiquei que se trata de um vírus, já detectado pelo "Avira".

Fiz o log do ComboFix, abaixo copiado.

Como proceder agora?!?!

Desde já, agradeço quem puder me ajudar!!!!

ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\a.exe

c:\windows\system32\i

c:\windows\system32\msmsgs.exe

.

(((((((((((((((( Arquivos/Ficheiros criados de 2008-12-04 to 2009-01-04 ))))))))))))))))))))))))))))

.

2009-01-04 16:58 . 2009-01-04 16:57 189,990 --a------ C:\ARK4.tmp

2009-01-04 16:27 . 2009-01-04 16:27 <DIR> d---s---- c:\documents and settings\FERRARI & DOTORE REP\UserData

2009-01-04 16:09 . 2001-08-17 22:59 3,072 --a------ c:\windows\system32\drivers\audstub.sys

2009-01-04 16:07 . 2009-01-04 17:23 <DIR> d-------- c:\windows\system32\CatRoot2

2009-01-04 16:07 . 2009-01-04 15:13 <DIR> d--h----- c:\documents and settings\Default User\Modelos

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> d-------- c:\documents and settings\Default User\Meus documentos

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> dr------- c:\documents and settings\Default User\Menu Iniciar

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> d-------- c:\documents and settings\Default User\Favoritos

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> dr-h----- c:\documents and settings\Default User\Dados de aplicativos

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> dr-h----- c:\documents and settings\Default User\Configurações locais

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> d--h----- c:\documents and settings\Default User\Ambiente de rede

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> d--h----- c:\documents and settings\Default User\Ambiente de impressão

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> d--h----- c:\documents and settings\All Users\Modelos

2009-01-04 16:07 . 2009-01-04 15:18 <DIR> dr------- c:\documents and settings\All Users\Menu Iniciar

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> d-------- c:\documents and settings\All Users\Favoritos

2009-01-04 16:07 . 2009-01-04 15:14 <DIR> dr------- c:\documents and settings\All Users\Documentos

2009-01-04 16:07 . 2009-01-04 15:54 <DIR> dr-h----- c:\documents and settings\All Users\Dados de aplicativos

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-04 17:54 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Avira

2009-01-04 17:54 --------- d-----w c:\arquivos de programas\Avira

2009-01-04 17:31 --------- d-----w c:\documents and settings\FERRARI & DOTORE REP\Dados de aplicativos\Motive

2009-01-04 17:30 --------- d-----w c:\arquivos de programas\Assistente Tecnico Speedy

2009-01-04 17:30 --------- d-----w c:\arquivos de programas\Arquivos comuns\Motive

2009-01-04 17:29 --------- d-----w c:\arquivos de programas\Motive

2009-01-04 17:29 --------- d-----w c:\arquivos de programas\Common Files

2009-01-04 17:26 --------- d-----w c:\arquivos de programas\Telefonica

2009-01-04 17:17 558,142 ----a-w c:\windows\java\Packages\NF7XBVL3.ZIP

2009-01-04 17:17 --------- d-----w c:\arquivos de programas\microsoft frontpage

2009-01-04 17:16 155,995 ----a-w c:\windows\java\Packages\9ZFLZXJL.ZIP

2009-01-04 17:14 --------- d-----w c:\arquivos de programas\Arquivos comuns\Serviços

2009-01-04 17:13 --------- d-----w c:\arquivos de programas\Serviços on-line

.

((((((((((((((((((((((((((((( snapshot@2009-01-04_16.41.56,78 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-01-04 18:25:35 32,768 ----a-w c:\windows\system32\config\systemprofile\Configurações locais\Histórico\History.IE5\index.dat

+ 2009-01-04 18:58:24 32,768 ----a-w c:\windows\system32\config\systemprofile\Configurações locais\Histórico\History.IE5\index.dat

- 2009-01-04 18:25:35 32,768 ----a-w c:\windows\system32\config\systemprofile\Configurações locais\Temporary Internet Files\Content.IE5\index.dat

+ 2009-01-04 18:58:24 32,768 ----a-w c:\windows\system32\config\systemprofile\Configurações locais\Temporary Internet Files\Content.IE5\index.dat

- 2009-01-04 18:25:35 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-01-04 18:58:24 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\ctfmon.exe" [2002-09-09 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Motive SmartBridge"="c:\arquiv~1\ASSIST~1\SMARTB~1\MotiveSB.exe" [2005-04-15 397312]

"avgnt"="c:\arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"Wmsncs Service"="c:\windows\Fonts\wmsncs.exe" [bU]

"NvidMediaCenter"="c:\arquivos de programas\Arquivos comuns\System\wmsncs.exe" [bU]

"Spool Driver Service"="c:\windows\System32\spool\drivers\wmsncs.exe" [bU]

"Wins Service"="c:\windows\System32\wins\wmsncs.exe" [bU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-09 13312]

"Wmsncs Service"="c:\windows\Fonts\wmsncs.exe" [bU]

"NvidMediaCenter"="c:\arquivos de programas\Arquivos comuns\System\wmsncs.exe" [bU]

"Spool Driver Service"="c:\windows\System32\spool\drivers\wmsncs.exe" [bU]

"Wins Service"="c:\windows\System32\wins\wmsncs.exe" [bU]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

Assistente Tecnico Speedy.lnk - c:\arquivos de programas\Assistente Tecnico Speedy\bin\matcli.exe [2009-01-04 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Shell"="explorer.exe \"c:\windows\Fonts\wmsncs.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"wmsncs.exe"= wmsncs.exe:SYSTEM

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2009-01-04 22336]

R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2009-01-04 45376]

R4 NET Runtime Optimization Service v2.1.41329_X86;NET Runtime Optimization Service v2.1.41329_X86;"c:\windows\Fonts\wmsncs.exe" --> c:\windows\Fonts\wmsncs.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{103L3C30-C3B3-4130-9363-E59E1375PERM}]

c:\windows\Fonts\wmsncs.exe

.

- - - - ORFÃOS REMOVIDOS - - - -

HKU-Default-Run-Microsoft Msn Messenger - c:\windows\System32\msmsgs.exe

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.gazetaesportiva.net/

uInternet Settings,ProxyOverride = 127.0.0.1

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

TCP: {F7863334-89D9-4B42-978E-BB68E6F19025} = 200.204.0.10 200.204.0.138

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-04 17:28:38

Windows 5.1.2600 Service Pack 1 NTFS

Procurando processos ocultos ...

c:\ark4.tmpfonts\wmsncs.exe [4060] 0x85F037D0

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(516)

c:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(572)

c:\windows\System32\dssenh.dll

.

Tempo para conclusão: 2009-01-04 17:29:00

ComboFix-quarantined-files.txt 2009-01-04 19:28:55

ComboFix2.txt 2009-01-04 18:42:14

Pré-execução: 7 pasta(s) 156.973.387.776 bytes disponíveis

Pós execução: 7 pasta(s) 156,971,900,928 bytes disponíveis

133

PedroN · Janeiro 4, 2009

Olá DOTORE,

Siga meus procedimentos na sequencia para não haver erro na análise.

1) Processo com o combofix

Sugiro que imprima ou salve os procedimentos abaixo, e não use a internet até terminado o procedimento.

Selecione e copie o texto dentro do QUOTE (caixa cinza) abaixo. Abra o Bloco de notas e cole o que copiou. Salve então, na área de trabalho, com o nome de CFScript.txt.

File::
C:\ARK4.tmp

c:\windows\Fonts\wmsncs.exe

c:\windows\System32\wins\wmsncs.exe

Driver::

"wmsncs.exe"

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Wmsncs Service"=-

"Wins Service"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Wmsncs Service"=-

"Wins Service"=-

Esse script foi elaborado somente para este computador, de acordo com os arquivos e chaves presentes não use-o em outro computador, pos pode trazer danos.

Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo.

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando.

Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.

2) Malwarebytes

• Vá a este Link,e baixe: < Malwarebytes >

• Atualize o programa!

• Escolha o escaneamento Rápido!

• Desabilite programas de proteção,ao executar o malwarebytes.

• Procure enviar os ítens detectados para a quarentena,clicando em Remover itens.

• Para maiores detalhes: < Link >

-----------------------

• Poste,os relatórios: mbam-log-2008-xx-xx (00-00-00).txt, HijackThis e combofix atualizados.

DOTORE · Janeiro 5, 2009

Caro Sr. Perfect,

Segue abaixo relatórios do Malware Bytes e Combofix.

Grato pela atenção!

Malwarebytes' Anti-Malware 1.32
Versão do banco de dados: 1617

Windows 5.1.2600 Service Pack 1

5/1/2009 12:30:19

mbam-log-2009-01-05 (12-30-19).txt

Tipo de Verificação: Completa (C:\|)

Objetos verificados: 52881

Tempo decorrido: 5 minute(s), 53 second(s)

Processos da Memória infectados: 0

Módulos de Memória Infectados: 0

Chaves do Registro infectadas: 1

Valores do Registro infectados: 0

Ítens do Registro infectados: 0

Pastas infectadas: 0

Arquivos infectados: 0

Processos da Memória infectados:

(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:

(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NET Runtime Optimization Service v2.1.41329_X86 (Trojan.Agent) -> Quarantined and deleted successfully.

Valores do Registro infectados:

(Nenhum ítem malicioso foi detectado)

Ítens do Registro infectados:

(Nenhum ítem malicioso foi detectado)

Pastas infectadas:

(Nenhum ítem malicioso foi detectado)

Arquivos infectados:

(Nenhum ítem malicioso foi detectado)

ComboFix 09-01-02.01 - FERRARI & DOTORE REP 2009-01-05 12:02:05.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1046.18.1015.774 [GMT -2:00]

Executando de: c:\documents and settings\FERRARI & DOTORE REP\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\FERRARI & DOTORE REP\Desktop\CFScript.txt

* Criado um novo ponto de restauro

ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!

FILE ::

C:\ARK4.tmp

c:\windows\Fonts\wmsncs.exe

c:\windows\System32\wins\wmsncs.exe

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\a.exe

c:\windows\system32\i

c:\windows\system32\msmsgs.exe

.

(((((((((((((((( Arquivos/Ficheiros criados de 2008-12-05 to 2009-01-05 ))))))))))))))))))))))))))))

.

2009-01-04 21:53 . 2009-01-04 21:53 <DIR> d-------- c:\windows\system32\Adobe

2009-01-04 21:53 . 2009-01-04 21:53 <DIR> d-------- c:\windows\Profiles

2009-01-04 21:53 . 2009-01-04 21:53 <DIR> d-------- c:\documents and settings\FERRARI & DOTORE REP\Dados de aplicativos\InterTrust

2009-01-04 21:53 . 2009-01-04 21:53 <DIR> d-------- c:\arquivos de programas\Arquivos comuns\Adobe

2009-01-04 21:53 . 1998-10-29 15:45 306,688 --a------ c:\windows\IsUninst.exe

2009-01-04 21:38 . 2009-01-04 21:38 415 --a------ c:\windows\ODBC.INI

2009-01-04 21:36 . 2009-01-04 21:36 <DIR> d-------- c:\windows\ShellNew

2009-01-04 21:35 . 2009-01-04 21:35 <DIR> d-------- c:\documents and settings\FERRARI & DOTORE REP\Dados de aplicativos\Microsoft Web Folders

2009-01-04 20:36 . 2009-01-04 20:36 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Lavasoft

2009-01-04 20:36 . 2009-01-04 20:36 <DIR> d-------- c:\arquivos de programas\Lavasoft

2009-01-04 20:35 . 2009-01-04 20:35 <DIR> d-------- c:\arquivos de programas\Arquivos comuns\Wise Installation Wizard

2009-01-04 17:53 . 2009-01-04 17:53 <DIR> d----c--- c:\windows\system32\DRVSTORE

2009-01-04 17:53 . 2009-01-04 20:07 <DIR> d-------- c:\documents and settings\FERRARI & DOTORE REP\Contacts

2009-01-04 17:53 . 2009-01-04 17:53 <DIR> d-------- c:\arquivos de programas\MSN Messenger

2009-01-04 16:27 . 2009-01-04 16:27 <DIR> d---s---- c:\documents and settings\FERRARI & DOTORE REP\UserData

2009-01-04 16:09 . 2001-08-17 22:59 3,072 --a------ c:\windows\system32\drivers\audstub.sys

2009-01-04 16:07 . 2009-01-04 22:14 <DIR> d-------- c:\windows\system32\CatRoot2

2009-01-04 16:07 . 2009-01-04 15:13 <DIR> d--h----- c:\documents and settings\Default User\Modelos

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> d-------- c:\documents and settings\Default User\Meus documentos

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> dr------- c:\documents and settings\Default User\Menu Iniciar

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> d-------- c:\documents and settings\Default User\Favoritos

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> dr-h----- c:\documents and settings\Default User\Dados de aplicativos

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> dr-h----- c:\documents and settings\Default User\Configurações locais

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> d--h----- c:\documents and settings\Default User\Ambiente de rede

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> d--h----- c:\documents and settings\Default User\Ambiente de impressão

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> d--h----- c:\documents and settings\All Users\Modelos

2009-01-04 16:07 . 2009-01-04 21:38 <DIR> dr------- c:\documents and settings\All Users\Menu Iniciar

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> d-------- c:\documents and settings\All Users\Favoritos

2009-01-04 16:07 . 2009-01-04 15:14 <DIR> dr------- c:\documents and settings\All Users\Documentos

2009-01-04 16:07 . 2009-01-04 15:54 <DIR> dr-h----- c:\documents and settings\All Users\Dados de aplicativos

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-04 23:35 --------- d-----w c:\arquivos de programas\microsoft frontpage

2009-01-04 17:54 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Avira

2009-01-04 17:54 --------- d-----w c:\arquivos de programas\Avira

2009-01-04 17:31 --------- d-----w c:\documents and settings\FERRARI & DOTORE REP\Dados de aplicativos\Motive

2009-01-04 17:30 --------- d-----w c:\arquivos de programas\Assistente Tecnico Speedy

2009-01-04 17:30 --------- d-----w c:\arquivos de programas\Arquivos comuns\Motive

2009-01-04 17:29 --------- d-----w c:\arquivos de programas\Motive

2009-01-04 17:29 --------- d-----w c:\arquivos de programas\Common Files

2009-01-04 17:26 --------- d-----w c:\arquivos de programas\Telefonica

2009-01-04 17:17 558,142 ----a-w c:\windows\java\Packages\NF7XBVL3.ZIP

2009-01-04 17:16 155,995 ----a-w c:\windows\java\Packages\9ZFLZXJL.ZIP

2009-01-04 17:14 --------- d-----w c:\arquivos de programas\Arquivos comuns\Serviços

2009-01-04 17:13 --------- d-----w c:\arquivos de programas\Serviços on-line

.

((((((((((((((((((((((((((((( snapshot@2009-01-04_16.41.56,78 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-01-04 23:38:35 5,194 ----a-w c:\windows\Help\hhcolreg.dat

+ 2009-01-04 23:38:30 155,136 ----a-r c:\windows\Installer\{00000416-78E1-11D2-B60F-006097C998E7}\accicons.exe

+ 2009-01-04 23:38:30 22,528 ----a-r c:\windows\Installer\{00000416-78E1-11D2-B60F-006097C998E7}\bindico.exe

+ 2009-01-04 23:38:30 73,216 ----a-r c:\windows\Installer\{00000416-78E1-11D2-B60F-006097C998E7}\fpicon.exe

+ 2009-01-04 23:38:30 28,160 ----a-r c:\windows\Installer\{00000416-78E1-11D2-B60F-006097C998E7}\misc.exe

+ 2009-01-04 23:38:30 104,960 ----a-r c:\windows\Installer\{00000416-78E1-11D2-B60F-006097C998E7}\outicon.exe

+ 2009-01-04 23:38:30 11,264 ----a-r c:\windows\Installer\{00000416-78E1-11D2-B60F-006097C998E7}\PEicons.exe

+ 2009-01-04 23:38:30 30,208 ----a-r c:\windows\Installer\{00000416-78E1-11D2-B60F-006097C998E7}\pptico.exe

+ 2009-01-04 23:38:30 35,328 ----a-r c:\windows\Installer\{00000416-78E1-11D2-B60F-006097C998E7}\wordicon.exe

+ 2009-01-04 23:38:30 69,120 ----a-r c:\windows\Installer\{00000416-78E1-11D2-B60F-006097C998E7}\xlicons.exe

+ 2009-01-04 19:53:15 29,926 ----a-r c:\windows\Installer\{37FD253D-5064-4034-8CEC-CC3995F823A4}\MsblIco.Exe

+ 2001-04-16 18:39:02 397,312 ----a-w c:\windows\system32\Adobe\SVG Viewer\AceLite.dll

+ 2001-09-05 16:10:34 1,138,688 ----a-w c:\windows\system32\Adobe\SVG Viewer\Agm.dll

+ 2001-04-16 18:39:02 147,456 ----a-w c:\windows\system32\Adobe\SVG Viewer\Bib.dll

+ 2001-07-24 10:02:54 1,441,792 ----a-w c:\windows\system32\Adobe\SVG Viewer\CoolType.dll

+ 2001-03-14 16:10:56 299,059 ------w c:\windows\system32\Adobe\SVG Viewer\NPSVGVw.dll

+ 2001-03-14 16:14:00 491,574 ------w c:\windows\system32\Adobe\SVG Viewer\SVGControl.dll

+ 2001-03-14 16:06:24 12,288 ------w c:\windows\system32\Adobe\SVG Viewer\SVGRSRC.DLL

+ 2001-03-14 16:07:52 1,597,491 ------w c:\windows\system32\Adobe\SVG Viewer\SVGView.dll

- 2009-01-04 18:25:35 32,768 ----a-w c:\windows\system32\config\systemprofile\Configurações locais\Histórico\History.IE5\index.dat

+ 2009-01-05 13:55:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Configurações locais\Histórico\History.IE5\index.dat

- 2009-01-04 18:25:35 32,768 ----a-w c:\windows\system32\config\systemprofile\Configurações locais\Temporary Internet Files\Content.IE5\index.dat

+ 2009-01-05 13:55:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Configurações locais\Temporary Internet Files\Content.IE5\index.dat

- 2009-01-04 18:25:35 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-01-05 13:55:23 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2008-04-29 13:19:50 12,960 ----a-w c:\windows\system32\drivers\Awrtpd.sys

+ 2008-04-29 13:19:54 15,648 ----a-w c:\windows\system32\drivers\Awrtrd.sys

+ 2008-04-29 13:20:00 15,648 ----a-w c:\windows\system32\drivers\NSDriver.sys

+ 1999-02-16 18:38:38 38,912 ----a-w c:\windows\system32\EXSEC32.DLL

+ 1999-01-12 17:54:26 1,109,264 ----a-w c:\windows\system32\FM20.DLL

+ 1999-03-30 16:18:52 28,944 ----a-w c:\windows\system32\FM20PTB.DLL

+ 1999-03-30 16:18:52 28,944 ----a-w c:\windows\system32\FM20PTG.DLL

- 2009-01-04 17:19:24 91,088 ----a-w c:\windows\system32\FNTCACHE.DAT

+ 2009-01-04 23:43:55 110,992 ----a-w c:\windows\system32\FNTCACHE.DAT

+ 1999-04-19 08:53:54 1,228,248 ----a-w c:\windows\system32\IMMC.EXE

+ 2008-05-16 13:58:04 12,632 ----a-w c:\windows\system32\lsdelete.exe

+ 1998-12-09 14:42:44 522,720 ----a-w c:\windows\system32\MAPI.DLL

+ 1998-12-09 14:42:44 41,232 ----a-w c:\windows\system32\MAPISRVR.EXE

- 2001-10-28 12:06:58 112,128 ----a-w c:\windows\system32\mapistub.dll

+ 1999-04-01 15:14:16 135,168 ----a-w c:\windows\system32\MAPISTUB.DLL

+ 1999-03-03 21:05:10 81,920 ----a-w c:\windows\system32\MDT2FW95.DLL

+ 1999-05-10 20:08:20 57,344 ----a-w c:\windows\system32\MFC42PTB.DLL

+ 1997-07-11 10:00:00 14,336 ----a-w c:\windows\system32\MSIMRT.DLL

+ 1997-07-11 10:00:00 10,544 ----a-w c:\windows\system32\MSIMRT16.DLL

+ 1997-07-11 10:00:00 22,016 ----a-w c:\windows\system32\MSIMRT32.DLL

+ 1997-07-11 10:00:00 120,320 ----a-w c:\windows\system32\MSIMUSIC.DLL

+ 1999-05-24 08:10:14 7,680 ----a-w c:\windows\system32\MSPRPPTB.DLL

+ 1998-09-17 04:20:48 393,216 ----a-w c:\windows\system32\MSRDO20.DLL

+ 1999-01-22 17:46:58 65,536 ----a-w c:\windows\system32\MSRTEDIT.DLL

+ 1998-08-09 20:07:32 118,784 ----a-w c:\windows\system32\MSSTDFMT.DLL

+ 1998-08-09 20:07:34 94,208 ----a-w c:\windows\system32\MSSTKPRP.DLL

+ 1999-02-04 23:09:58 57,393 ----a-w c:\windows\system32\OUTLWAB.DLL

+ 1998-12-09 04:53:58 212,480 ----a-w c:\windows\system32\PCDLIB32.DLL

+ 1998-09-17 04:20:52 151,552 ----a-w c:\windows\system32\RDOCURS.DLL

+ 1998-03-25 06:54:08 15,872 ----a-w c:\windows\system32\SCP32.DLL

+ 2007-01-19 14:53:04 51,056 ----a-w c:\windows\system32\sirenacm.dll

+ 1998-12-24 21:23:22 40,960 ----a-w c:\windows\system32\VBAME.DLL

+ 2006-06-05 16:14:28 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll

+ 2006-06-05 16:14:28 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll

+ 2006-06-05 16:14:28 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll

.

-- Snapshot resetado para data atual --

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\ctfmon.exe" [2002-09-09 13312]

"MSMSGS"="c:\arquivos de programas\Messenger\msmsgs.exe" [2002-08-20 1511453]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Motive SmartBridge"="c:\arquiv~1\ASSIST~1\SMARTB~1\MotiveSB.exe" [2005-04-15 397312]

"avgnt"="c:\arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"NvidMediaCenter"="c:\arquivos de programas\Arquivos comuns\System\wmsncs.exe" [bU]

"Spool Driver Service"="c:\windows\System32\spool\drivers\wmsncs.exe" [bU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"GrpConv"="grpconv -o" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-09 13312]

"NvidMediaCenter"="c:\arquivos de programas\Arquivos comuns\System\wmsncs.exe" [bU]

"Spool Driver Service"="c:\windows\System32\spool\drivers\wmsncs.exe" [bU]

"Microsoft Msn Messenger"="c:\windows\System32\msmsgs.exe" [bU]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

Assistente Tecnico Speedy.lnk - c:\arquivos de programas\Assistente Tecnico Speedy\bin\matcli.exe [2009-01-04 217088]

Microsoft Office.lnk - c:\arquivos de programas\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"wmsncs.exe"= wmsncs.exe:SYSTEM

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2009-01-04 22336]

R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2009-01-04 45376]

S4 NET Runtime Optimization Service v2.1.41329_X86;NET Runtime Optimization Service v2.1.41329_X86;"c:\windows\Fonts\wmsncs.exe" --> c:\windows\Fonts\wmsncs.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{103L3C30-C3B3-4130-9363-E59E1375PERM}]

c:\windows\Fonts\wmsncs.exe

.

- - - - ORFÃOS REMOVIDOS - - - -

HKCU-Run-Microsoft Msn Messenger - c:\windows\System32\msmsgs.exe

HKLM-RunOnce-<NO NAME> - (no file)

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.freeart1cile.com

uInternet Settings,ProxyOverride = 127.0.0.1

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

TCP: {F7863334-89D9-4B42-978E-BB68E6F19025} = 200.204.0.10 200.204.0.138

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-05 12:02:45

Windows 5.1.2600 Service Pack 1 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(532)

c:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(588)

c:\windows\System32\dssenh.dll

.

Tempo para conclusão: 2009-01-05 12:03:06

ComboFix-quarantined-files.txt 2009-01-05 14:03:00

ComboFix2.txt 2009-01-04 19:29:00

ComboFix3.txt 2009-01-04 18:42:14

Pré-execução: 7 pasta(s) 156.343.955.456 bytes disponíveis

Pós execução: 7 pasta(s) 156,346,269,696 bytes disponíveis

210

PedroN · Janeiro 5, 2009

- Faça o download do SDFIX

Reinicie seu computador, e aperte a tecla F8 (F5 em alguns casos) intermitentemente durante a inicialização, até aparecer um menu onde você deverá escolher a opção Modo Seguro

1. Entre na pasta SDFix que foi instalada no seu computador e dê um duplo clique no arquivo RunThis.bat

2. Tecle Y para que a ferramenta inicie o processo de remoção

3. Quando tudo terminar, você verá um aviso dizendo para apertar qualquer tecla para continuar. Ao pressionar qualquer tecla, o computador será reiniciado automaticamente

4. Após reiniciar, a ferramenta ainda será executada novamente e irá terminar o seu trabalho e a palavra Finished irá aparecer. Pressione qualquer tecla.

5. Uma janela com o relatório do SDFix irá aparecer.

6. Copie e cole este relatório na sua resposta . Caso você tenha fechado a janela, uma cópia do relatório estará na pasta SDFix com o nome Report.txt.

DOTORE · Janeiro 5, 2009

- Faça o download do SDFIX

Reinicie seu computador, e aperte a tecla F8 (F5 em alguns casos) intermitentemente durante a inicialização, até aparecer um menu onde você deverá escolher a opção Modo Seguro

1. Entre na pasta SDFix que foi instalada no seu computador e dê um duplo clique no arquivo RunThis.bat

2. Tecle Y para que a ferramenta inicie o processo de remoção

3. Quando tudo terminar, você verá um aviso dizendo para apertar qualquer tecla para continuar. Ao pressionar qualquer tecla, o computador será reiniciado automaticamente

4. Após reiniciar, a ferramenta ainda será executada novamente e irá terminar o seu trabalho e a palavra Finished irá aparecer. Pressione qualquer tecla.

5. Uma janela com o relatório do SDFix irá aparecer.

6. Copie e cole este relatório na sua resposta . Caso você tenha fechado a janela, uma cópia do relatório estará na pasta SDFix com o nome Report.txt.

Sr. Perfect,

segue relatório do SDFix

SDFix: Version 1.240
Run by FERRARI

Microsoft Windows XP [versÆo 5.1.2600]

Running From: C:\SDFix

Checking Services :

Restoring Default Security Values

Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\i - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-05 19:09:50

Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"wmsncs.exe"="wmsncs.exe:*:Enabled:SYSTEM"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Finished!

PedroN · Janeiro 6, 2009

Execute novamente o combofix e poste-o junto com um log do hijackthis.

DOTORE · Janeiro 6, 2009

Execute novamente o combofix e poste-o junto com um log do hijackthis.

Sr. Perfect,

segue relatórios

ComboFix 09-01-02.01 - FERRARI & DOTORE REP 2009-01-06 7:15:16.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1046.18.1015.758 [GMT -2:00]

Executando de: c:\documents and settings\FERRARI & DOTORE REP\Desktop\ComboFix.exe

ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\i

.

(((((((((((((((( Arquivos/Ficheiros criados de 2008-12-06 to 2009-01-06 ))))))))))))))))))))))))))))

.

2009-01-05 21:24 . 2009-01-05 21:24 <DIR> d--h----- c:\arquivos de programas\InstallShield Installation Information

2009-01-05 21:24 . 2009-01-05 21:24 <DIR> d-------- c:\arquivos de programas\IDT

2009-01-05 21:24 . 2009-01-05 21:24 <DIR> d-------- c:\arquivos de programas\Arquivos comuns\InstallShield

2009-01-05 21:24 . 2008-09-18 19:23 8,101,988 --a------ c:\windows\system32\idtsg.cpl

2009-01-05 21:24 . 2008-09-18 19:23 2,314,240 --a------ c:\windows\system32\stlang.dll

2009-01-05 21:24 . 2008-09-18 19:23 1,293,149 --a------ c:\windows\system32\drivers\sthda.sys

2009-01-05 21:24 . 2008-09-18 19:23 442,476 --a------ c:\windows\system32\stacapi.dll

2009-01-05 21:24 . 2008-09-18 19:23 442,470 --a------ c:\windows\sttray.exe

2009-01-05 21:24 . 2008-09-18 19:23 221,276 --a------ c:\windows\system32\stacsv.exe

2009-01-05 21:24 . 2008-09-18 19:23 150,528 --a------ c:\windows\system32\staco.dll

2009-01-05 21:24 . 2004-11-18 10:42 22,752 --a------ c:\windows\system32\spupdsvc.exe

2009-01-05 21:24 . 2001-08-17 21:48 5,120 --a------ c:\windows\system32\drivers\MSPCLOCK.sys

2009-01-05 21:24 . 2001-08-17 21:48 5,120 --a--c--- c:\windows\system32\dllcache\mspclock.sys

2009-01-05 20:15 . 2009-01-05 20:15 <DIR> d-------- c:\arquivos de programas\Lavalys

2009-01-05 19:07 . 2009-01-05 19:07 <DIR> d-------- c:\windows\ERUNT

2009-01-05 19:02 . 2009-01-05 19:10 <DIR> d-------- C:\SDFix

2009-01-05 18:54 . 2002-08-29 01:50 24,960 --a------ c:\windows\system32\drivers\usbprint.sys

2009-01-05 18:54 . 2002-08-29 01:50 24,960 --a--c--- c:\windows\system32\dllcache\usbprint.sys

2009-01-05 12:10 . 2009-01-05 12:10 <DIR> d-------- c:\documents and settings\FERRARI & DOTORE REP\Dados de aplicativos\Malwarebytes

2009-01-05 12:10 . 2009-01-04 18:41 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-05 12:09 . 2009-01-05 12:09 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes

2009-01-05 12:09 . 2009-01-05 12:10 <DIR> d-------- c:\arquivos de programas\Malwarebytes' Anti-Malware

2009-01-05 12:09 . 2009-01-04 18:41 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-04 21:53 . 2009-01-04 21:53 <DIR> d-------- c:\windows\system32\Adobe

2009-01-04 21:53 . 2009-01-04 21:53 <DIR> d-------- c:\windows\Profiles

2009-01-04 21:53 . 2009-01-04 21:53 <DIR> d-------- c:\documents and settings\FERRARI & DOTORE REP\Dados de aplicativos\InterTrust

2009-01-04 21:53 . 2009-01-04 21:53 <DIR> d-------- c:\arquivos de programas\Arquivos comuns\Adobe

2009-01-04 21:53 . 1998-10-29 15:45 306,688 --a------ c:\windows\IsUninst.exe

2009-01-04 21:38 . 2009-01-04 21:38 415 --a------ c:\windows\ODBC.INI

2009-01-04 21:36 . 2009-01-04 21:36 <DIR> d-------- c:\windows\ShellNew

2009-01-04 21:35 . 2009-01-04 21:35 <DIR> d-------- c:\documents and settings\FERRARI & DOTORE REP\Dados de aplicativos\Microsoft Web Folders

2009-01-04 20:36 . 2009-01-04 20:36 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Lavasoft

2009-01-04 20:36 . 2009-01-04 20:36 <DIR> d-------- c:\arquivos de programas\Lavasoft

2009-01-04 20:35 . 2009-01-04 20:35 <DIR> d-------- c:\arquivos de programas\Arquivos comuns\Wise Installation Wizard

2009-01-04 17:53 . 2009-01-04 17:53 <DIR> d----c--- c:\windows\system32\DRVSTORE

2009-01-04 17:53 . 2009-01-04 20:07 <DIR> d-------- c:\documents and settings\FERRARI & DOTORE REP\Contacts

2009-01-04 17:53 . 2009-01-04 17:53 <DIR> d-------- c:\arquivos de programas\MSN Messenger

2009-01-04 16:27 . 2009-01-04 16:27 <DIR> d---s---- c:\documents and settings\FERRARI & DOTORE REP\UserData

2009-01-04 16:09 . 2001-08-17 22:59 3,072 --a------ c:\windows\system32\drivers\audstub.sys

2009-01-04 16:07 . 2009-01-06 07:16 <DIR> d-------- c:\windows\system32\CatRoot2

2009-01-04 16:07 . 2009-01-04 15:13 <DIR> d--h----- c:\documents and settings\Default User\Modelos

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> d-------- c:\documents and settings\Default User\Meus documentos

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> dr------- c:\documents and settings\Default User\Menu Iniciar

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> d-------- c:\documents and settings\Default User\Favoritos

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> dr-h----- c:\documents and settings\Default User\Dados de aplicativos

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> dr-h----- c:\documents and settings\Default User\Configurações locais

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> d--h----- c:\documents and settings\Default User\Ambiente de rede

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> d--h----- c:\documents and settings\Default User\Ambiente de impressão

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> d--h----- c:\documents and settings\All Users\Modelos

2009-01-04 16:07 . 2009-01-04 21:38 <DIR> dr------- c:\documents and settings\All Users\Menu Iniciar

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> d-------- c:\documents and settings\All Users\Favoritos

2009-01-04 16:07 . 2009-01-04 15:14 <DIR> dr------- c:\documents and settings\All Users\Documentos

2009-01-04 16:07 . 2009-01-05 12:09 <DIR> dr-h----- c:\documents and settings\All Users\Dados de aplicativos

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-06 00:14 189,990 ------w c:\windows\Fonts\wmsncs.exe

2009-01-04 23:35 --------- d-----w c:\arquivos de programas\microsoft frontpage

2009-01-04 17:54 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Avira

2009-01-04 17:54 --------- d-----w c:\arquivos de programas\Avira

2009-01-04 17:31 --------- d-----w c:\documents and settings\FERRARI & DOTORE REP\Dados de aplicativos\Motive

2009-01-04 17:30 --------- d-----w c:\arquivos de programas\Assistente Tecnico Speedy

2009-01-04 17:30 --------- d-----w c:\arquivos de programas\Arquivos comuns\Motive

2009-01-04 17:29 --------- d-----w c:\arquivos de programas\Motive

2009-01-04 17:29 --------- d-----w c:\arquivos de programas\Common Files

2009-01-04 17:26 --------- d-----w c:\arquivos de programas\Telefonica

2009-01-04 17:17 558,142 ----a-w c:\windows\java\Packages\NF7XBVL3.ZIP

2009-01-04 17:16 155,995 ----a-w c:\windows\java\Packages\9ZFLZXJL.ZIP

2009-01-04 17:14 --------- d-----w c:\arquivos de programas\Arquivos comuns\Serviços

2009-01-04 17:13 --------- d-----w c:\arquivos de programas\Serviços on-line

.

((((((((((((((((((((((((((((( snapshot_2009-01-05_12.02.50,29 )))))))))))))))))))))))))))))))))))))))))

.

+ 2004-03-16 12:58:20 136,960 ------w c:\windows\Driver Cache\i386\portcls.sys

+ 2008-08-07 17:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE

+ 2009-01-05 21:07:19 880,640 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT

+ 2009-01-05 21:07:19 8,192 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat

+ 2008-08-07 17:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE

+ 2009-01-05 21:07:14 880,640 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT

+ 2009-01-05 21:07:14 8,192 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat

- 2009-01-04 17:16:27 2,112 ----a-w c:\windows\PCHealth\HelpCtr\PackageStore\SkuStore.bin

+ 2009-01-05 23:38:38 2,410 ----a-w c:\windows\PCHealth\HelpCtr\PackageStore\SkuStore.bin

- 2009-01-05 13:55:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Configurações locais\Histórico\History.IE5\index.dat

+ 2009-01-06 09:08:58 32,768 ----a-w c:\windows\system32\config\systemprofile\Configurações locais\Histórico\History.IE5\index.dat

- 2009-01-05 13:55:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Configurações locais\Temporary Internet Files\Content.IE5\index.dat

+ 2009-01-06 09:08:58 49,152 ----a-w c:\windows\system32\config\systemprofile\Configurações locais\Temporary Internet Files\Content.IE5\index.dat

- 2009-01-05 13:55:23 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-01-06 09:08:58 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2002-08-29 01:16:38 142,208 -c--a-w c:\windows\system32\dllcache\aec.sys

+ 2001-08-17 23:59:58 50,048 -c--a-w c:\windows\system32\dllcache\dmusic.sys

+ 2002-08-29 03:32:34 57,856 -c--a-w c:\windows\system32\dllcache\drmk.sys

+ 2002-08-29 03:32:34 2,816 -c--a-w c:\windows\system32\dllcache\drmkaud.sys

+ 2002-08-29 03:32:30 159,360 -c--a-w c:\windows\system32\dllcache\kmixer.sys

+ 2002-08-29 04:13:42 131,712 -c--a-w c:\windows\system32\dllcache\ks.sys

+ 2001-09-06 01:50:14 4,096 -c--a-w c:\windows\system32\dllcache\ksuser.dll

+ 2002-08-29 03:27:12 7,040 -c--a-w c:\windows\system32\dllcache\mskssrv.sys

+ 2001-08-17 23:48:46 4,608 -c--a-w c:\windows\system32\dllcache\mspqm.sys

- 2002-09-09 14:07:52 172,032 -c--a-w c:\windows\system32\dllcache\mssap.dll

+ 2005-01-07 19:06:54 134,144 -c--a-w c:\windows\system32\dllcache\Mssap.dll

+ 2002-08-29 03:32:28 5,888 -c--a-w c:\windows\system32\dllcache\splitter.sys

+ 2002-08-29 03:32:34 44,416 -c--a-w c:\windows\system32\dllcache\stream.sys

+ 2001-08-18 00:00:52 54,272 -c--a-w c:\windows\system32\dllcache\swmidi.sys

+ 2002-08-29 04:01:18 56,832 -c--a-w c:\windows\system32\dllcache\sysaudio.sys

+ 2002-08-29 04:00:48 77,440 -c--a-w c:\windows\system32\dllcache\wdmaud.sys

+ 2002-08-29 01:16:38 142,208 ----a-w c:\windows\system32\drivers\aec.sys

+ 2001-08-17 23:59:58 50,048 ----a-w c:\windows\system32\drivers\DMusic.sys

+ 2002-08-29 03:32:34 57,856 ----a-w c:\windows\system32\drivers\drmk.sys

+ 2002-08-29 03:32:34 2,816 ----a-w c:\windows\system32\drivers\drmkaud.sys

+ 2005-01-07 19:07:18 138,752 ------w c:\windows\system32\drivers\Hdaudbus.sys

+ 2005-01-07 19:07:16 145,920 ------w c:\windows\system32\drivers\Hdaudio.sys

+ 2002-08-29 03:32:30 159,360 ----a-w c:\windows\system32\drivers\kmixer.sys

- 2002-09-09 14:19:28 131,712 ----a-w c:\windows\system32\drivers\ks.sys

+ 2002-08-29 04:13:42 131,712 ----a-w c:\windows\system32\drivers\ks.sys

+ 2002-08-29 03:27:12 7,040 ----a-w c:\windows\system32\drivers\MSKSSRV.sys

+ 2001-08-17 23:48:46 4,608 ----a-w c:\windows\system32\drivers\MSPQM.sys

+ 2004-03-16 12:58:20 136,960 ----a-w c:\windows\system32\drivers\portcls.sys

+ 2002-08-29 03:32:28 5,888 ----a-w c:\windows\system32\drivers\splitter.sys

- 2002-09-09 14:19:28 44,416 ----a-w c:\windows\system32\drivers\stream.sys

+ 2002-08-29 03:32:34 44,416 ----a-w c:\windows\system32\drivers\stream.sys

+ 2001-08-18 00:00:52 54,272 ----a-w c:\windows\system32\drivers\swmidi.sys

+ 2002-08-29 04:01:18 56,832 ----a-w c:\windows\system32\drivers\sysaudio.sys

+ 2002-08-29 04:00:48 77,440 ----a-w c:\windows\system32\drivers\wdmaud.sys

- 2009-01-04 23:43:55 110,992 ----a-w c:\windows\system32\FNTCACHE.DAT

+ 2009-01-05 23:41:09 110,992 ----a-w c:\windows\system32\FNTCACHE.DAT

+ 2005-01-07 19:07:16 25,088 ------w c:\windows\system32\HdAProp.dll

+ 2005-01-07 19:07:16 61,952 ------w c:\windows\system32\HdAShCut.exe

+ 2005-01-07 19:07:04 5,120 ------w c:\windows\system32\HdAudRes.dll

+ 2001-09-06 01:50:14 4,096 ----a-w c:\windows\system32\ksuser.dll

- 2002-09-09 14:07:52 172,032 ----a-w c:\windows\system32\mssap.dll

+ 2005-01-07 19:06:54 134,144 ----a-w c:\windows\system32\Mssap.dll

- 2009-01-04 17:25:37 39,992 ----a-w c:\windows\system32\perfc009.dat

+ 2009-01-05 23:25:53 39,992 ----a-w c:\windows\system32\perfc009.dat

- 2009-01-04 17:25:37 48,628 ----a-w c:\windows\system32\perfc016.dat

+ 2009-01-05 23:25:53 48,628 ----a-w c:\windows\system32\perfc016.dat

- 2009-01-04 17:25:37 311,604 ----a-w c:\windows\system32\perfh009.dat

+ 2009-01-05 23:25:53 311,604 ----a-w c:\windows\system32\perfh009.dat

- 2009-01-04 17:25:37 344,380 ----a-w c:\windows\system32\perfh016.dat

+ 2009-01-05 23:25:53 344,380 ----a-w c:\windows\system32\perfh016.dat

+ 2001-09-06 01:48:12 36,864 ----a-w c:\windows\system32\spool\drivers\w32x86\3\EP9RES.DLL

+ 2002-09-09 16:08:20 252,416 ----a-w c:\windows\system32\spool\drivers\w32x86\3\UNIDRV.DLL

+ 2002-09-09 16:08:20 198,144 ----a-w c:\windows\system32\spool\drivers\w32x86\3\UNIDRVUI.DLL

+ 2001-09-06 01:47:08 620,032 ----a-w c:\windows\system32\spool\drivers\w32x86\3\UNIRES.DLL

- 2001-10-28 12:06:30 22,016 ----a-w c:\windows\system32\wdmaud.drv

+ 2001-09-06 01:50:56 22,016 ----a-w c:\windows\system32\wdmaud.drv

+ 2009-01-06 00:14:06 189,990 ----a-w c:\windows\system32\wins\wmsncs.exe

.

-- Snapshot resetado para data atual --

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\ctfmon.exe" [2002-09-09 13312]

"MSMSGS"="c:\arquivos de programas\Messenger\msmsgs.exe" [2002-08-20 1511453]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Motive SmartBridge"="c:\arquiv~1\ASSIST~1\SMARTB~1\MotiveSB.exe" [2005-04-15 397312]

"avgnt"="c:\arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"SysTrayApp"="c:\arquivos de programas\IDT\WDM\sttray.exe" [2008-09-18 442470]

"Wmsncs Service"="c:\windows\Fonts\wmsncs.exe" [2009-01-05 189990]

"NvidMediaCenter"="c:\arquivos de programas\Arquivos comuns\System\wmsncs.exe" [2009-01-05 189990]

"Spool Driver Service"="c:\windows\System32\spool\drivers\wmsncs.exe" [2009-01-05 189990]

"Wins Service"="c:\windows\System32\wins\wmsncs.exe" [bU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-09 13312]

"Microsoft Msn Messenger"="c:\windows\System32\msmsgs.exe" [bU]

"Wmsncs Service"="c:\windows\Fonts\wmsncs.exe" [2009-01-05 189990]

"NvidMediaCenter"="c:\arquivos de programas\Arquivos comuns\System\wmsncs.exe" [2009-01-05 189990]

"Spool Driver Service"="c:\windows\System32\spool\drivers\wmsncs.exe" [bU]

"Wins Service"="c:\windows\System32\wins\wmsncs.exe" [2009-01-05 189990]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

Assistente Tecnico Speedy.lnk - c:\arquivos de programas\Assistente Tecnico Speedy\bin\matcli.exe [2009-01-04 217088]

Microsoft Office.lnk - c:\arquivos de programas\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

wmsncs.exe [2009-01-05 189990]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Shell"="explorer.exe \"c:\windows\Fonts\wmsncs.exe\""

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"wmsncs.exe"= wmsncs.exe:SYSTEM

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2009-01-04 22336]

R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2009-01-04 45376]

R4 NET Runtime Optimization Service v2.1.41329_X86;NET Runtime Optimization Service v2.1.41329_X86;c:\windows\Fonts\wmsncs.exe [2009-01-05 189990]

S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\arquivos de programas\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [2009-01-05 23152]

*Newly Created Service* - BITS

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{103L3C30-C3B3-4130-9363-E59E1375PERM}]

c:\windows\Fonts\wmsncs.exe

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.gazetaesportiva.net/

uInternet Settings,ProxyOverride = 127.0.0.1

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

TCP: {F7863334-89D9-4B42-978E-BB68E6F19025} = 200.204.0.10 200.204.0.138

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-06 07:16:24

Windows 5.1.2600 Service Pack 1 NTFS

Procurando processos ocultos ...

c:\windows\Fonts\wmsncs.exe [1980] 0x85D5AA58

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\EverestDriver]

"ImagePath"="\??\c:\arquivos de programas\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(536)

c:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(592)

c:\windows\System32\dssenh.dll

.

Tempo para conclusão: 2009-01-06 7:16:52

ComboFix-quarantined-files.txt 2009-01-06 09:16:44

ComboFix2.txt 2009-01-05 14:03:07

ComboFix3.txt 2009-01-04 19:29:00

ComboFix4.txt 2009-01-04 18:42:14

Pré-execução: 8 pasta(s) 155.894.513.664 bytes disponíveis

Pós execução: 8 pasta(s) 155,926,835,200 bytes disponíveis

247

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:14:15, on 6/1/2009

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\explorer.exe

C:\ARQUIV~1\ASSIST~1\SMARTB~1\MotiveSB.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Arquivos de programas\IDT\WDM\sttray.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\Assistente Tecnico Speedy\bin\mad.exe

C:\Arquivos de programas\Assistente Tecnico Speedy\bin\mpbtn.exe

C:\WINDOWS\system32\spoolsv.exe

c:\arquivos de programas\idt\5902xp_6033v_012208\wdm\STacSV.exe

C:\ARQUIV~1\Motive\ASSTCO~1\MOTIVE~1.EXE

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\FERRARI & DOTORE REP\Configurações locais\temp\Diretório temporário 1 para HiJackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gazetaesportiva.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

F2 - REG:system.ini: Shell=explorer.exe "C:\WINDOWS\Fonts\wmsncs.exe"

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Motive SmartBridge] "C:\ARQUIV~1\ASSIST~1\SMARTB~1\MotiveSB.exe" /restart

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [sysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe

O4 - HKLM\..\Run: [Wmsncs Service] C:\WINDOWS\Fonts\wmsncs.exe

O4 - HKLM\..\Run: [NvidMediaCenter] C:\Arquivos de programas\Arquivos comuns\System\wmsncs.exe

O4 - HKLM\..\Run: [spool Driver Service] C:\WINDOWS\System32\spool\drivers\wmsncs.exe

O4 - HKLM\..\Run: [Wins Service] C:\WINDOWS\System32\wins\wmsncs.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Microsoft Msn Messenger] C:\WINDOWS\System32\msmsgs.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Wmsncs Service] C:\WINDOWS\Fonts\wmsncs.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [NvidMediaCenter] C:\Arquivos de programas\Arquivos comuns\System\wmsncs.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [spool Driver Service] C:\WINDOWS\System32\spool\drivers\wmsncs.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Wins Service] C:\WINDOWS\System32\wins\wmsncs.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Assistente Tecnico Speedy.lnk = C:\Arquivos de programas\Assistente Tecnico Speedy\bin\matcli.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: wmsncs.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O17 - HKLM\System\CCS\Services\Tcpip\..\{F7863334-89D9-4B42-978E-BB68E6F19025}: NameServer = 200.204.0.10 200.204.0.138

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Arquivos de programas\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\arquivos de programas\idt\5902xp_6033v_012208\wdm\STacSV.exe

--

End of file - 5139 bytes

DOTORE · Janeiro 6, 2009

Sr. Perfect,

passei o Avira no pc... encontra o tr/atraps.gen. Mas o antivírus não apaga o c:\ark7.tmp.

Segue relatórios após antivírus:

ComboFix 09-01-02.01 - FERRARI & DOTORE REP 2009-01-06 7:47:24.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1046.18.1015.737 [GMT -2:00]

Executando de: c:\documents and settings\FERRARI & DOTORE REP\Desktop\ComboFix.exe

ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

(((((((((((((((( Arquivos/Ficheiros criados de 2008-12-06 to 2009-01-06 ))))))))))))))))))))))))))))

.

2009-01-05 22:14 . 2009-01-05 22:14 189,990 --a------ C:\ARK7.tmp

2009-01-05 21:24 . 2009-01-05 21:24 <DIR> d--h----- c:\arquivos de programas\InstallShield Installation Information

2009-01-05 21:24 . 2009-01-05 21:24 <DIR> d-------- c:\arquivos de programas\IDT

2009-01-05 21:24 . 2009-01-05 21:24 <DIR> d-------- c:\arquivos de programas\Arquivos comuns\InstallShield

2009-01-05 21:24 . 2008-09-18 19:23 8,101,988 --a------ c:\windows\system32\idtsg.cpl

2009-01-05 21:24 . 2008-09-18 19:23 2,314,240 --a------ c:\windows\system32\stlang.dll

2009-01-05 21:24 . 2008-09-18 19:23 1,293,149 --a------ c:\windows\system32\drivers\sthda.sys

2009-01-05 21:24 . 2008-09-18 19:23 442,476 --a------ c:\windows\system32\stacapi.dll

2009-01-05 21:24 . 2008-09-18 19:23 442,470 --a------ c:\windows\sttray.exe

2009-01-05 21:24 . 2008-09-18 19:23 221,276 --a------ c:\windows\system32\stacsv.exe

2009-01-05 21:24 . 2008-09-18 19:23 150,528 --a------ c:\windows\system32\staco.dll

2009-01-05 21:24 . 2004-11-18 10:42 22,752 --a------ c:\windows\system32\spupdsvc.exe

2009-01-05 21:24 . 2001-08-17 21:48 5,120 --a------ c:\windows\system32\drivers\MSPCLOCK.sys

2009-01-05 21:24 . 2001-08-17 21:48 5,120 --a--c--- c:\windows\system32\dllcache\mspclock.sys

2009-01-05 20:15 . 2009-01-05 20:15 <DIR> d-------- c:\arquivos de programas\Lavalys

2009-01-05 19:07 . 2009-01-05 19:07 <DIR> d-------- c:\windows\ERUNT

2009-01-05 19:02 . 2009-01-05 19:10 <DIR> d-------- C:\SDFix

2009-01-05 18:54 . 2002-08-29 01:50 24,960 --a------ c:\windows\system32\drivers\usbprint.sys

2009-01-05 18:54 . 2002-08-29 01:50 24,960 --a--c--- c:\windows\system32\dllcache\usbprint.sys

2009-01-05 12:10 . 2009-01-05 12:10 <DIR> d-------- c:\documents and settings\FERRARI & DOTORE REP\Dados de aplicativos\Malwarebytes

2009-01-05 12:10 . 2009-01-04 18:41 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-05 12:09 . 2009-01-05 12:09 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes

2009-01-05 12:09 . 2009-01-05 12:10 <DIR> d-------- c:\arquivos de programas\Malwarebytes' Anti-Malware

2009-01-05 12:09 . 2009-01-04 18:41 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-04 21:53 . 2009-01-04 21:53 <DIR> d-------- c:\windows\system32\Adobe

2009-01-04 21:53 . 2009-01-04 21:53 <DIR> d-------- c:\windows\Profiles

2009-01-04 21:53 . 2009-01-04 21:53 <DIR> d-------- c:\documents and settings\FERRARI & DOTORE REP\Dados de aplicativos\InterTrust

2009-01-04 21:53 . 2009-01-04 21:53 <DIR> d-------- c:\arquivos de programas\Arquivos comuns\Adobe

2009-01-04 21:53 . 1998-10-29 15:45 306,688 --a------ c:\windows\IsUninst.exe

2009-01-04 21:38 . 2009-01-04 21:38 415 --a------ c:\windows\ODBC.INI

2009-01-04 21:36 . 2009-01-04 21:36 <DIR> d-------- c:\windows\ShellNew

2009-01-04 21:35 . 2009-01-04 21:35 <DIR> d-------- c:\documents and settings\FERRARI & DOTORE REP\Dados de aplicativos\Microsoft Web Folders

2009-01-04 20:36 . 2009-01-04 20:36 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Lavasoft

2009-01-04 20:36 . 2009-01-04 20:36 <DIR> d-------- c:\arquivos de programas\Lavasoft

2009-01-04 20:35 . 2009-01-04 20:35 <DIR> d-------- c:\arquivos de programas\Arquivos comuns\Wise Installation Wizard

2009-01-04 17:53 . 2009-01-04 17:53 <DIR> d----c--- c:\windows\system32\DRVSTORE

2009-01-04 17:53 . 2009-01-04 20:07 <DIR> d-------- c:\documents and settings\FERRARI & DOTORE REP\Contacts

2009-01-04 17:53 . 2009-01-04 17:53 <DIR> d-------- c:\arquivos de programas\MSN Messenger

2009-01-04 16:27 . 2009-01-04 16:27 <DIR> d---s---- c:\documents and settings\FERRARI & DOTORE REP\UserData

2009-01-04 16:09 . 2001-08-17 22:59 3,072 --a------ c:\windows\system32\drivers\audstub.sys

2009-01-04 16:07 . 2009-01-06 07:23 <DIR> d-------- c:\windows\system32\CatRoot2

2009-01-04 16:07 . 2009-01-04 15:13 <DIR> d--h----- c:\documents and settings\Default User\Modelos

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> d-------- c:\documents and settings\Default User\Meus documentos

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> dr------- c:\documents and settings\Default User\Menu Iniciar

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> d-------- c:\documents and settings\Default User\Favoritos

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> dr-h----- c:\documents and settings\Default User\Dados de aplicativos

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> dr-h----- c:\documents and settings\Default User\Configurações locais

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> d--h----- c:\documents and settings\Default User\Ambiente de rede

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> d--h----- c:\documents and settings\Default User\Ambiente de impressão

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> d--h----- c:\documents and settings\All Users\Modelos

2009-01-04 16:07 . 2009-01-04 21:38 <DIR> dr------- c:\documents and settings\All Users\Menu Iniciar

2009-01-04 16:07 . 2009-01-04 16:07 <DIR> d-------- c:\documents and settings\All Users\Favoritos

2009-01-04 16:07 . 2009-01-04 15:14 <DIR> dr------- c:\documents and settings\All Users\Documentos

2009-01-04 16:07 . 2009-01-05 12:09 <DIR> dr-h----- c:\documents and settings\All Users\Dados de aplicativos

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-04 23:35 --------- d-----w c:\arquivos de programas\microsoft frontpage

2009-01-04 17:54 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Avira

2009-01-04 17:54 --------- d-----w c:\arquivos de programas\Avira

2009-01-04 17:31 --------- d-----w c:\documents and settings\FERRARI & DOTORE REP\Dados de aplicativos\Motive

2009-01-04 17:30 --------- d-----w c:\arquivos de programas\Assistente Tecnico Speedy

2009-01-04 17:30 --------- d-----w c:\arquivos de programas\Arquivos comuns\Motive

2009-01-04 17:29 --------- d-----w c:\arquivos de programas\Motive

2009-01-04 17:29 --------- d-----w c:\arquivos de programas\Common Files

2009-01-04 17:26 --------- d-----w c:\arquivos de programas\Telefonica

2009-01-04 17:17 558,142 ----a-w c:\windows\java\Packages\NF7XBVL3.ZIP

2009-01-04 17:16 155,995 ----a-w c:\windows\java\Packages\9ZFLZXJL.ZIP

2009-01-04 17:14 --------- d-----w c:\arquivos de programas\Arquivos comuns\Serviços

2009-01-04 17:13 --------- d-----w c:\arquivos de programas\Serviços on-line

.

((((((((((((((((((((((((((((( snapshot_2009-01-06_ 7.16.30,31 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-01-06 09:08:58 32,768 ----a-w c:\windows\system32\config\systemprofile\Configurações locais\Histórico\History.IE5\index.dat

+ 2009-01-06 09:19:27 32,768 ----a-w c:\windows\system32\config\systemprofile\Configurações locais\Histórico\History.IE5\index.dat

- 2009-01-06 09:08:58 49,152 ----a-w c:\windows\system32\config\systemprofile\Configurações locais\Temporary Internet Files\Content.IE5\index.dat

+ 2009-01-06 09:19:27 49,152 ----a-w c:\windows\system32\config\systemprofile\Configurações locais\Temporary Internet Files\Content.IE5\index.dat

- 2009-01-06 09:08:58 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-01-06 09:19:27 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\ctfmon.exe" [2002-09-09 13312]

"MSMSGS"="c:\arquivos de programas\Messenger\msmsgs.exe" [2002-08-20 1511453]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Motive SmartBridge"="c:\arquiv~1\ASSIST~1\SMARTB~1\MotiveSB.exe" [2005-04-15 397312]

"avgnt"="c:\arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"SysTrayApp"="c:\arquivos de programas\IDT\WDM\sttray.exe" [2008-09-18 442470]

"Wmsncs Service"="c:\windows\Fonts\wmsncs.exe" [bU]

"NvidMediaCenter"="c:\arquivos de programas\Arquivos comuns\System\wmsncs.exe" [bU]

"Spool Driver Service"="c:\windows\System32\spool\drivers\wmsncs.exe" [bU]

"Wins Service"="c:\windows\System32\wins\wmsncs.exe" [bU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-09 13312]

"Microsoft Msn Messenger"="c:\windows\System32\msmsgs.exe" [bU]

"Wmsncs Service"="c:\windows\Fonts\wmsncs.exe" [bU]

"NvidMediaCenter"="c:\arquivos de programas\Arquivos comuns\System\wmsncs.exe" [bU]

"Spool Driver Service"="c:\windows\System32\spool\drivers\wmsncs.exe" [bU]

"Wins Service"="c:\windows\System32\wins\wmsncs.exe" [bU]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

Assistente Tecnico Speedy.lnk - c:\arquivos de programas\Assistente Tecnico Speedy\bin\matcli.exe [2009-01-04 217088]

Microsoft Office.lnk - c:\arquivos de programas\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Shell"="explorer.exe \"c:\windows\Fonts\wmsncs.exe\""

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"wmsncs.exe"= wmsncs.exe:SYSTEM

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2009-01-04 22336]

R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2009-01-04 45376]

R4 NET Runtime Optimization Service v2.1.41329_X86;NET Runtime Optimization Service v2.1.41329_X86;"c:\windows\Fonts\wmsncs.exe" --> c:\windows\Fonts\wmsncs.exe [?]

S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\arquivos de programas\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [2009-01-05 23152]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{103L3C30-C3B3-4130-9363-E59E1375PERM}]

c:\windows\Fonts\wmsncs.exe

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.gazetaesportiva.net/

uInternet Settings,ProxyOverride = 127.0.0.1

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

TCP: {F7863334-89D9-4B42-978E-BB68E6F19025} = 200.204.0.10 200.204.0.138

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-06 07:48:04

Windows 5.1.2600 Service Pack 1 NTFS

Procurando processos ocultos ...

c:\ark7.tmpfonts\wmsncs.exe [2008] 0x85BB1DA8

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\EverestDriver]

"ImagePath"="\??\c:\arquivos de programas\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(536)

c:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(592)

c:\windows\System32\dssenh.dll

.

Tempo para conclusão: 2009-01-06 7:48:27

ComboFix-quarantined-files.txt 2009-01-06 09:48:21

ComboFix2.txt 2009-01-06 09:16:54

ComboFix3.txt 2009-01-05 14:03:07

ComboFix4.txt 2009-01-04 19:29:00

ComboFix5.txt 2009-01-06 09:47:14

Pré-execução: 8 pasta(s) 155.932.082.176 bytes disponíveis

Pós execução: 8 pasta(s) 155,925,938,176 bytes disponíveis

174

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 07:54:20, on 6/1/2009

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Lavasoft\Ad-Aware\aawservice.exe

C:\ARQUIV~1\ASSIST~1\SMARTB~1\MotiveSB.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Arquivos de programas\IDT\WDM\sttray.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Arquivos de programas\Assistente Tecnico Speedy\bin\mad.exe

C:\Arquivos de programas\Assistente Tecnico Speedy\bin\mpbtn.exe

C:\ARQUIV~1\Motive\ASSTCO~1\MOTIVE~1.EXE

C:\WINDOWS\system32\spoolsv.exe

c:\arquivos de programas\idt\5902xp_6033v_012208\wdm\STacSV.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\explorer.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\FERRARI & DOTORE REP\Configurações locais\temp\Diretório temporário 1 para HiJackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gazetaesportiva.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

F2 - REG:system.ini: Shell=explorer.exe "C:\WINDOWS\Fonts\wmsncs.exe"

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Motive SmartBridge] "C:\ARQUIV~1\ASSIST~1\SMARTB~1\MotiveSB.exe" /restart

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [sysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe

O4 - HKLM\..\Run: [Wmsncs Service] C:\WINDOWS\Fonts\wmsncs.exe

O4 - HKLM\..\Run: [NvidMediaCenter] C:\Arquivos de programas\Arquivos comuns\System\wmsncs.exe

O4 - HKLM\..\Run: [spool Driver Service] C:\WINDOWS\System32\spool\drivers\wmsncs.exe

O4 - HKLM\..\Run: [Wins Service] C:\WINDOWS\System32\wins\wmsncs.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Microsoft Msn Messenger] C:\WINDOWS\System32\msmsgs.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Wmsncs Service] C:\WINDOWS\Fonts\wmsncs.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [NvidMediaCenter] C:\Arquivos de programas\Arquivos comuns\System\wmsncs.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [spool Driver Service] C:\WINDOWS\System32\spool\drivers\wmsncs.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Wins Service] C:\WINDOWS\System32\wins\wmsncs.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Assistente Tecnico Speedy.lnk = C:\Arquivos de programas\Assistente Tecnico Speedy\bin\matcli.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O17 - HKLM\System\CCS\Services\Tcpip\..\{F7863334-89D9-4B42-978E-BB68E6F19025}: NameServer = 200.204.0.10 200.204.0.138

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Arquivos de programas\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: NET Runtime Optimization Service v2.1.41329_X86 - Unknown owner - C:\WINDOWS\Fonts\wmsncs.exe (file missing)

O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\arquivos de programas\idt\5902xp_6033v_012208\wdm\STacSV.exe

--

End of file - 5151 bytes

PedroN · Janeiro 7, 2009

Sugiro que imprima ou salve os procedimentos abaixo, e não use a internet até terminado o procedimento.

Selecione e copie o texto dentro do QUOTE (caixa cinza) abaixo. Abra o Bloco de notas e cole o que copiou. Salve então, na área de trabalho, com o nome de CFScript.txt.

File::
c:\windows\Fonts\wmsncs.exe

c:\windows\System32\wins\wmsncs.exe

c:\windows\System32\spool\drivers\wmsncs.exe

Folder::

c:\windows\ShellNew

Driver::

"BITS"

"wmsncs.exe"

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Wmsncs Service"=-

"NvidMediaCenter"=-

"Spool Driver Service"=-

"Wins Service"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Shell"=-

Esse script foi elaborado somente para este computador, de acordo com os arquivos e chaves presentes não use-o em outro computador, pos pode trazer danos.

Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo.

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando.

Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.

- Reinicie o computador em Modo de Segurança[/url] (pressione a tecla F8 intermitentemente, ou F5 em alguns casos, durante a inicialização);

- Abra o HijackThis, clique em Do a system scan only e marque as entradas abaixo:

F2 - REG:system.ini: Shell=explorer.exe "C:\WINDOWS\Fonts\wmsncs.exe"

O4 - HKLM\..\Run: [Wmsncs Service] C:\WINDOWS\Fonts\wmsncs.exe

O4 - HKLM\..\Run: [spool Driver Service] C:\WINDOWS\System32\spool\drivers\wmsncs.exe

O4 - HKUS\S-1-5-18\..\Run: [spool Driver Service] C:\WINDOWS\System32\spool\drivers\wmsncs.exe (User 'SYSTEM')

Ps:. Caso você não encontre algumas entradas no hijackthis não tem problema, fix apenas as que você encontrar.

DOTORE · Janeiro 9, 2009

Sr. Perfect,

realizei todos os procedimentos. O problema é que o vírus aparece novamente, através do arquivo ARK*. TMP. Tenho o Avira. Ele reconhece, apaga, mas imediatamente, o arquivo infectado reaparece com outro número (Ex.: ARK7.TMP.... antivírus apaga, mas já aparece um ARK8.TMP).

O que estaria ativando esse vírus? Não estou usando pen drivers aqui... só a internet, e apenas sites confiáveis!

Segue log do Avira:

Avira AntiVir Personal
Report file date: sexta-feira, 9 de janeiro de 2009 09:12

Scanning for 1173832 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 1) [5.1.2600]

Boot mode: Normally booted

Username: SYSTEM

Computer name: FERRARIDOTORE

Version information:

BUILD.DAT : 8.2.0.337 16934 Bytes 18/11/2008 13:05:00

AVSCAN.EXE : 8.1.4.10 315649 Bytes 4/1/2009 18:12:30

AVSCAN.DLL : 8.1.4.0 40705 Bytes 26/5/2008 11:56:40

LUKE.DLL : 8.1.4.5 164097 Bytes 12/6/2008 16:44:19

LUKERES.DLL : 8.1.4.0 12033 Bytes 26/5/2008 11:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 18:12:31

ANTIVIR1.VDF : 7.1.1.33 1705984 Bytes 24/12/2008 18:12:31

ANTIVIR2.VDF : 7.1.1.88 726528 Bytes 8/1/2009 10:34:02

ANTIVIR3.VDF : 7.1.1.91 19968 Bytes 9/1/2009 10:34:04

Engineversion : 8.2.0.45

AEVDF.DLL : 8.1.0.6 102772 Bytes 14/10/2008 14:05:56

AESCRIPT.DLL : 8.1.1.19 336252 Bytes 4/1/2009 18:12:31

AESCN.DLL : 8.1.1.5 123251 Bytes 4/1/2009 18:12:31

AERDL.DLL : 8.1.1.3 438645 Bytes 4/1/2009 18:12:31

AEPACK.DLL : 8.1.3.4 393591 Bytes 4/1/2009 18:12:31

AEOFFICE.DLL : 8.1.0.33 196987 Bytes 4/1/2009 18:12:31

AEHEUR.DLL : 8.1.0.75 1524087 Bytes 4/1/2009 18:12:31

AEHELP.DLL : 8.1.2.0 119159 Bytes 4/1/2009 18:12:31

AEGEN.DLL : 8.1.1.8 323956 Bytes 4/1/2009 18:12:31

AEEMU.DLL : 8.1.0.9 393588 Bytes 14/10/2008 14:05:56

AECORE.DLL : 8.1.5.2 172405 Bytes 4/1/2009 18:12:31

AEBB.DLL : 8.1.0.3 53618 Bytes 14/10/2008 14:05:56

AVWINLL.DLL : 1.0.0.12 15105 Bytes 9/7/2008 12:40:05

AVPREF.DLL : 8.0.2.0 38657 Bytes 16/5/2008 13:28:01

AVREP.DLL : 8.0.0.2 98344 Bytes 4/1/2009 18:12:31

AVREG.DLL : 8.0.0.1 33537 Bytes 9/5/2008 15:26:40

AVARKT.DLL : 1.0.0.23 307457 Bytes 12/2/2008 12:29:23

AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 12/6/2008 16:27:49

SQLITE3.DLL : 3.3.17.1 339968 Bytes 22/1/2008 21:28:02

SMTPLIB.DLL : 1.2.0.23 28929 Bytes 12/6/2008 16:49:40

NETNT.DLL : 8.0.0.1 7937 Bytes 25/1/2008 16:05:10

RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 12/6/2008 17:48:07

RCTEXT.DLL : 8.0.52.0 86273 Bytes 27/6/2008 17:34:37

Configuration settings for the scan:

Jobname..........................: Complete system scan

Configuration file...............: c:\arquivos de programas\avira\antivir personaledition classic\sysscan.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: on

Scan boot sector.................: on

Boot sectors.....................: C:,

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: off

Scan all files...................: Intelligent file selection

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

Start of the scan: sexta-feira, 9 de janeiro de 2009 09:12

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'stacsv.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'MOTIVE~1.EXE' - '1' Module(s) have been scanned

Scan process 'mpbtn.exe' - '1' Module(s) have been scanned

Scan process 'mad.exe' - '1' Module(s) have been scanned

Scan process 'msmsgs.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'sttray.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'MotiveSB.exe' - '1' Module(s) have been scanned

Scan process 'aawservice.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

28 processes with 28 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

[WARNING] System error [21]: O dispositivo não está pronto.

Master boot sector HD2

[iNFO] No virus was found!

[WARNING] System error [21]: O dispositivo não está pronto.

Master boot sector HD3

[iNFO] No virus was found!

[WARNING] System error [21]: O dispositivo não está pronto.

Master boot sector HD4

[iNFO] No virus was found!

[WARNING] System error [21]: O dispositivo não está pronto.

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Starting to scan the registry.

C:\WINDOWS\Fonts\wmsncs.exe

[DETECTION] Is the TR/ATRAPS.Gen Trojan

[WARNING] The file could not be deleted!

[NOTE] Attempting to perform action using the ARK lib.

[NOTE] The file was deleted!

C:\Arquivos de programas\Arquivos comuns\System\wmsncs.exe

[DETECTION] Is the TR/ATRAPS.Gen Trojan

[WARNING] The file could not be deleted!

[NOTE] Attempting to perform action using the ARK lib.

[NOTE] The file was deleted!

C:\WINDOWS\system32\spool\drivers\wmsncs.exe

[DETECTION] Is the TR/ATRAPS.Gen Trojan

[NOTE] The file was deleted!

C:\WINDOWS\system32\wins\wmsncs.exe

[DETECTION] Is the TR/ATRAPS.Gen Trojan

[NOTE] The file was deleted!

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\wmsncs.exe

[DETECTION] Is the TR/ATRAPS.Gen Trojan

[NOTE] The file was deleted!

The registry was scanned ( '53' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\ARK2.tmp

[DETECTION] Is the TR/ATRAPS.Gen Trojan

[WARNING] The file could not be deleted!

[NOTE] Attempting to perform action using the ARK lib.

[NOTE] The file was deleted!

C:\ARK3.tmp

[DETECTION] Is the TR/ATRAPS.Gen Trojan

[NOTE] The file was deleted!

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\System Volume Information\_restore{02546EAC-2BBD-4F47-8768-F2ED46EDDDF2}\RP17\A0032838.exe

[DETECTION] Is the TR/ATRAPS.Gen Trojan

[NOTE] The file was deleted!

C:\System Volume Information\_restore{02546EAC-2BBD-4F47-8768-F2ED46EDDDF2}\RP17\A0032839.exe

[DETECTION] Is the TR/ATRAPS.Gen Trojan

[NOTE] The file was deleted!

C:\System Volume Information\_restore{02546EAC-2BBD-4F47-8768-F2ED46EDDDF2}\RP17\A0032840.exe

[DETECTION] Is the TR/ATRAPS.Gen Trojan

[NOTE] The file was deleted!

C:\System Volume Information\_restore{02546EAC-2BBD-4F47-8768-F2ED46EDDDF2}\RP17\A0032841.exe

[DETECTION] Is the TR/ATRAPS.Gen Trojan

[NOTE] The file was deleted!

C:\WINDOWS\system32\wmsoft48147.exe

[DETECTION] Is the TR/ATRAPS.Gen Trojan

[NOTE] The file was deleted!

End of the scan: sexta-feira, 9 de janeiro de 2009 09:27

Used time: 15:20 Minute(s)

Obrigado pela ajuda e pela paciência!

PedroN · Janeiro 9, 2009

esqueceu de postar o log do combofix mais hijackthis atualizado

Mário Monteiro · Fevereiro 10, 2009

Tópico Arquivado

Como o autor não respondeu por mais de 30 dias, o tópico foi arquivado.

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.

Arquivado

[Arquivado] wmsncs.exe - análise log combofix

Recommended Posts

DOTORE 0

Compartilhar este post

Link para o post

Compartilhar em outros sites

PedroN 1

Compartilhar este post

Link para o post

Compartilhar em outros sites

DOTORE 0

Compartilhar este post

Link para o post

Compartilhar em outros sites

PedroN 1

Compartilhar este post

Link para o post

Compartilhar em outros sites

DOTORE 0

Compartilhar este post

Link para o post

Compartilhar em outros sites

PedroN 1

Compartilhar este post

Link para o post

Compartilhar em outros sites

DOTORE 0

Compartilhar este post

Link para o post

Compartilhar em outros sites

DOTORE 0

Compartilhar este post

Link para o post

Compartilhar em outros sites

PedroN 1

Compartilhar este post

Link para o post

Compartilhar em outros sites

DOTORE 0

Compartilhar este post

Link para o post

Compartilhar em outros sites

PedroN 1

Compartilhar este post

Link para o post

Compartilhar em outros sites

Mário Monteiro 179

Compartilhar este post

Link para o post

Compartilhar em outros sites

recuperando parametros simplexml_load_file

PHP+Codeigniter - Adicionar Registro Plano de Contas

Javascript - Passar Parâmetros para uma Função.

Fóruns

Tempo Real

Informação importante