Computador lento, photoshop travando

[BelTavares 0]

Amigos, primeiramente obrigada antecipadamente,

 

Há algum tempo peguei um virus, formatei a máquina, e mesmo assim logo depois começaram as lentidões na máquina... resolvi algumas, como por exemplo desativando as atualizações automáticas do windows, pois alguns processos estavam usando quase 100% da capacidade da CPU.

 

O novo problema que apareceu é o seguinte... meu computador continua um pouco lento, e principalmente, não consigo salvar nenhum arquivo no Photoshop. Quando clico em salvar ou salvar como... ele por um segundo aparece a janela de salvar mas some e trava o photoshop.

 

Tenho o Windows live One Care instalado, já tentei alguns antispywares e nada resolveu, aliás nenhum deles detecta virus ou malwares.

 

Por favor, vocês poderiam analisar meu Log e me ajudar a me livrar definitivamente desses problemas?

 

Obrigada novamente.

 

Isabel

 

 

Segue Log:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:13:52, on 19/1/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Microsoft Windows OneCare Live\OcHealthMon.exe

C:\Arquivos de programas\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe

C:\Arquivos de programas\Microsoft Windows OneCare Live\winss.exe

C:\Arquivos de programas\Microsoft Windows OneCare Live\winssnotify.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\3M\PSNLite\PsnLite.exe

C:\ARQUIV~1\3M\PSNLite\PSNGive.exe

C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\system32\svchost.exe

C:\Hijack\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Rfivaguzeyawebe] rundll32.exe "C:\WINDOWS\Llukomig.dll",e

O4 - HKLM\..\Run: [OneCareUI] "C:\Arquivos de programas\Microsoft Windows OneCare Live\winssnotify.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Arquivos de programas\3M\PSNLite\PsnLite.exe

O8 - Extra context menu item: Append to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Sothink SWF Catcher - C:\Arquivos de programas\Arquivos comuns\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Arquivos de programas\Arquivos comuns\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Arquivos de programas\Arquivos comuns\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u1...ows-i586-jc.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe

 

--

End of file - 8629 bytes

[DigRam 144]

Boa Noite! BelTavares

 

<@> Baixe: < ComboFix.exe > ( ...by sUBs )

<@> Salve-o no Desktop!

<@> Desabilite as proteções residente de: antivírus,antispywares e firewall. ( Menos o do Windows! )

<@> Feche todas as janelas e execute a ferramenta!

<@> Na solicitação: "Negação de garantia de software" --> Clique em Sim!

<@> Não possuindo o "Console de Recuperação",aceite optar pela instalação do mesmo!

 

<!> Caso aconteça a notificação de: Aplicativo Win32 inválido,delete a ferramenta e faça,novamente,o download.

<!> Salve-a no desktop,renomeada como: Kombo.exe

<!> Ps: Nomeie durante o salvamento,e não após salvá-la!

<!> Ps: Surgindo alguma mensagem de erro,rode o ComboFix.exe em Modo de Segurança. <-- Link!

<!> Ps: Para completar as remoções,talvez haja necessidade da ferramenta reiniciar o computador. <-- Aguarde!

<!> Ps: Evite executar,voluntariamente,esta ferramenta!Siga,àcima,todas as recomendações propostas.

<@> Abrir-se-á a janela Auto Scan. --> Aguarde!

<@> Àfim de completar as remoções,o ComboFix poderá reiniciar o computador.

<@> Se houver necessidade,digite a opção para continuar! --> ( 1 ) --> Aperte Enter! --> Aguarde a conclusão!

<@> Durante o scan,evite manusear o mouse ou teclado! <-- Importante!

<@> Para parar ou sair do ComboFix,tecle "N" ou "2" --> Aperte Enter!

----------------------

<@> Terminando,poste os relatórios: C:\ComboFix.txt + HijackThis,atualizado.

 

Abraços!

[BelTavares 0]

Obrigada pela resposta DigRam,

 

Fiz os procedimentos indicados por você... seguem abaixo os logs do HiJack e do Combofix:

 

Fico no aguardo de sua enorme ajuda.

 

 

obrigada mais uma vez.

 

Isabel

 

___________________________________________

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:57:16, on 23/1/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Microsoft Windows OneCare Live\OcHealthMon.exe

C:\Arquivos de programas\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe

C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Arquivos de programas\3M\PSNLite\PsnLite.exe

C:\ARQUIV~1\3M\PSNLite\PSNGive.exe

C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\system32\drwtsn32.exe

C:\WINDOWS\system32\drwtsn32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\drwtsn32.exe

C:\WINDOWS\system32\drwtsn32.exe

C:\WINDOWS\system32\drwtsn32.exe

C:\Arquivos de programas\Microsoft Windows OneCare Live\winss.exe

C:\Arquivos de programas\Microsoft Windows OneCare Live\winssnotify.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\imapi.exe

C:\WINDOWS\explorer.exe

C:\Hijack\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [OneCareUI] "C:\Arquivos de programas\Microsoft Windows OneCare Live\winssnotify.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Arquivos de programas\3M\PSNLite\PsnLite.exe

O8 - Extra context menu item: Append to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Sothink SWF Catcher - C:\Arquivos de programas\Arquivos comuns\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Arquivos de programas\Arquivos comuns\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Arquivos de programas\Arquivos comuns\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u1...ows-i586-jc.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe

 

--

End of file - 8399 bytes

 

 

________________________________________________________________

 

 

 

ComboFix 09-01-21.04 - Isabel Tavares 2009-01-23 16:51:44.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1046.18.1278.803 [GMT -2:00]

Executando de: c:\documents and settings\Isabel Tavares\Desktop\ComboFix.exe

AV: Windows Live OneCare *On-access scanning enabled* (Updated)

FW: Firewall do Windows Live OneCare *enabled*

* Criado um novo ponto de restauro

 

ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\Sys.exe

c:\windows\system32\a.exe

c:\windows\system32\drivers\str.sys

c:\windows\wiaserviv.log

 

.

(((((((((((((((( Arquivos/Ficheiros criados de 2008-12-23 to 2009-01-23 ))))))))))))))))))))))))))))

.

 

2009-01-19 14:08 . 2009-01-19 14:13 <DIR> d-------- C:\Hijack

2009-01-08 14:18 . 2009-01-08 14:18 93,319 --a------ c:\windows\Email Marketing Pro 2008 Uninstaller.exe

2009-01-08 14:17 . 2009-01-14 15:40 <DIR> d-------- c:\arquivos de programas\Email Marketing Pro 2008

2009-01-06 11:18 . 2009-01-06 11:18 <DIR> d-------- c:\documents and settings\Isabel Tavares\Dados de aplicativos\Phoenix

2009-01-06 11:18 . 2009-01-06 11:18 110,592 --a------ c:\windows\UninstallFirefox.exe

2009-01-06 11:17 . 2009-01-06 11:17 3,740 --a------ c:\windows\mozver.dat

2008-12-23 10:28 . 2008-12-23 10:29 <DIR> d-------- c:\arquivos de programas\SmartFTP FTP Library

2008-12-23 10:23 . 2008-12-23 10:23 <DIR> d-------- c:\arquivos de programas\SmartFTP Client

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-23 18:27 --------- d-----w c:\documents and settings\Isabel Tavares\Dados de aplicativos\Skype

2009-01-23 18:09 --------- d-----w c:\documents and settings\Isabel Tavares\Dados de aplicativos\skypePM

2009-01-23 13:23 --------- d-----w c:\arquivos de programas\Microsoft Windows OneCare Live

2009-01-08 18:37 --------- d-----w c:\arquivos de programas\ESET

2009-01-08 12:53 --------- d-----w c:\arquivos de programas\Isabel

2008-12-23 16:39 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help

2008-12-23 12:23 --------- d-----w c:\arquivos de programas\SmartFTP Client 3.0 Setup Files

2008-12-16 16:54 --------- d--h--w c:\arquivos de programas\InstallShield Installation Information

2008-12-16 16:54 --------- d-----w c:\arquivos de programas\Arquivos comuns\InstallShield

2008-12-15 18:33 --------- d-----w c:\arquivos de programas\SourceTec

2008-12-15 18:33 --------- d-----w c:\arquivos de programas\Arquivos comuns\SourceTec

2008-12-15 16:26 --------- d-----w c:\arquivos de programas\WebDeveloper

2008-12-15 12:29 --------- d--h--w c:\arquivos de programas\Zero G Registry

2008-12-15 12:29 --------- d-----w c:\arquivos de programas\iseemedia

2008-12-12 12:03 410,984 ----a-w c:\windows\system32\deploytk.dll

2008-12-12 12:03 --------- d-----w c:\arquivos de programas\Java

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-10 15:50 --------- d-----w c:\arquivos de programas\Unity

2008-12-09 17:43 --------- d-----w c:\arquivos de programas\Real Alternative

2008-12-09 17:36 --------- d-----w c:\documents and settings\Isabel Tavares\Dados de aplicativos\Media Player Classic

2008-12-05 18:53 --------- d-----w c:\arquivos de programas\Microsoft SQL Server

2008-12-05 13:23 --------- d-----w c:\arquivos de programas\KOGUT

2008-12-05 13:21 --------- d-----w c:\arquivos de programas\Kogut eBusiness Solutions

2008-11-27 18:36 --------- d-----w c:\arquivos de programas\Arquivos comuns\Adobe

2008-11-27 18:31 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\ALM

2008-11-27 18:05 --------- d-----w c:\arquivos de programas\Bonjour

2008-11-27 17:56 --------- d-----w c:\arquivos de programas\Arquivos comuns\Macrovision Shared

2008-11-24 16:01 --------- d-----w c:\arquivos de programas\Lexmark_HostCD

2008-11-24 12:44 --------- d-----w c:\arquivos de programas\Windows Live Safety Center

2008-10-23 12:37 286,720 ----a-w c:\windows\system32\gdi32.dll

2004-02-06 19:19 53,248 ----a-w c:\arquivos de programas\mozilla firefox\components\jar50.dll

2004-02-06 19:33 65,536 ----a-w c:\arquivos de programas\mozilla firefox\components\jsd3250.dll

2004-02-06 19:33 172,032 ----a-w c:\arquivos de programas\mozilla firefox\components\xpinstal.dll

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"Skype"="c:\arquivos de programas\Skype\Phone\Skype.exe" [2008-09-23 21755688]

"MSMSGS"="c:\arquivos de programas\Messenger\msmsgs.exe" [2008-04-13 1695232]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"OneCareUI"="c:\arquivos de programas\Microsoft Windows OneCare Live\winssnotify.exe" [2008-11-05 64880]

"Acrobat Assistant 8.0"="c:\arquivos de programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]

"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre6\bin\jusched.exe" [2008-12-12 136600]

"SoundMan"="SOUNDMAN.EXE" [2006-11-17 c:\windows\soundman.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

Post-it© Software Notes Lite.lnk - c:\arquivos de programas\3M\PSNLite\PsnLite.exe [2004-10-15 2080768]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]

@="Service"

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=

"c:\\Arquivos de programas\\SmartFTP Client\\SmartFTP.exe"=

"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

 

R4 OcHealthMon;Windows Live OneCare Health Monitor;c:\arquivos de programas\Microsoft Windows OneCare Live\OcHealthMon.exe [2008-11-05 25968]

S4 hirfkhfblgblk;hirfkhfblgblk;\??\c:\windows\system32\drivers\bzhgci.sys --> c:\windows\system32\drivers\bzhgci.sys [?]

.

- - - - ORFÃOS REMOVIDOS - - - -

 

HKLM-Run-Rfivaguzeyawebe - c:\windows\Llukomig.dll

 

 

.

------- Scan Suplementar -------

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

IE: Append to existing PDF - c:\arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Sothink SWF Catcher - c:\arquivos de programas\Arquivos comuns\SourceTec\SWF Catcher\InternetExplorer.htm

FF - ProfilePath -

.

 

**************************************************************************

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos:

 

**************************************************************************

.

Tempo para conclusão: 2009-01-23 16:54:48

ComboFix-quarantined-files.txt 2009-01-23 18:54:46

 

Pré-execução: 12 pasta(s) 71.627.698.176 bytes disponíveis

Pós execução: 12 pasta(s) 71,901,097,984 bytes disponíveis

 

125 --- E O F --- 2009-01-15 19:57:05

[DigRam 144]

Bom Dia! BelTavares

 

<@> Vá em Iniciar --> Executar --> Digite ou cole: combofix.exe /u --> Clique OK.

<@> Abrir-se-á,a seguinte janela: ( Abrir arquivo - Aviso de Segurança )

<@> Clique em Executar --> Aguarde!

<@> Surgirá,finalmente,a mensagem: "ComboFix está desinstalado" --> Clique OK.

<@> Caso encontre,apague: C:\ComboFix <-- A pasta! + C:\ComboFix.txt <-- Relatório!

-----------------------------

<@> Baixe: < avz4en.zip > ou < avz_antiviral_toolkit >

<@> Salve-o em Arquivos de programas,e descompacte-o aí mesmo!

<@> Abra a pasta avz4 e execute o aplicativo,com um duplo-clique. <-- Ícone escudo e espada!

<@> Conecte-se à Internet,e atualize o Toolkit. --> "File" --> "Database Update".

<@> Terminando,não faça ainda nenhuma verificação.

<@> Na aba "Search range",marque todas as caixinhas.

<@> Em "File types",marque o botão "All files".

<@> Em "Actions",marque: "Perform healing"

<@> Nos campos,abaixo de "Perform healing",escolha "Report only",para todos os ítens.

<@> Abaixo de "RiskWare",marque a caixa "Copy suspicious files to Quarantine". <-- Somente esta caixa!

<@> No menu "Search parameters",maximize o ajuste "Heuristic analyses".

<@> Marque a caixa "Extended analysis". <-- Somente esta caixa!

<@> Por default,não desmarque as que estão assinaladas!

<@> Feche os programas que estejam abertos,e rode a ferramenta! <-- Clique em Start.

<@> Terminando o scan,clique no ícone "Save log",para dispormos do relatório. ( avz_log )

<@> Clique,também,no ícone dos "óculos".

<@> Clique em "Save as CSV".

<@> Salve,este relatório,no desktop! <-- Formato de texto. ( *.txt )

<@> Nomeie-o como: view_log

<@> Copie e poste: avz_log.txt + view_log.txt,na sua resposta.

 

Abraços!

[BelTavares 0]

Bom dia DigRam. Obrigada por sua resposta!

 

Aí seguem os logs:

 

view_log.txt:

 

C:\System Volume Information\_restore{6CB5D046-2D27-4D92-8FF7-DE8838AD5638}\RP58\A0012030.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)

C:\WINDOWS\ie7\reg00108;2;Suspicion for VirTool.Win32.SehTr ( 00032A56 00000000 0019178F 00000000 8192)

C:\Arquivos de programas\SmartFTP Client\sfShellTools.dll;5;Suspicion for Keylogger or Trojan DLL

 

 

avz_log.txt

 

AVZ Antiviral Toolkit log; AVZ version is 4.30

Scanning started at 29/1/2009 08:48:20

Database loaded: signatures - 207613, NN profile(s) - 2, microprograms of healing - 56, signature database released 28.01.2009 21:34

Heuristic microprograms loaded: 372

SPV microprograms loaded: 9

Digital signatures of system files loaded: 86360

Heuristic analyzer mode: Maximum heuristics level

Healing mode: enabled

Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights

System Restore: enabled

1. Searching for Rootkits and programs intercepting API functions

1.1 Searching for user-mode API hooks

Analysis: kernel32.dll, export table found in section .text

Analysis: ntdll.dll, export table found in section .text

Analysis: user32.dll, export table found in section .text

Analysis: advapi32.dll, export table found in section .text

Analysis: ws2_32.dll, export table found in section .text

Analysis: wininet.dll, export table found in section .text

Analysis: rasapi32.dll, export table found in section .text

Analysis: urlmon.dll, export table found in section .text

Analysis: netapi32.dll, export table found in section .text

1.2 Searching for kernel-mode API hooks

Driver loaded successfully

SDT found (RVA=08B520)

Kernel ntoskrnl.exe found in memory at address 804D7000

SDT = 80562520

KiST = 804E48B0 (284)

Functions checked: 284, intercepted: 0, restored: 0

1.3 Checking IDT and SYSENTER

Analysis for CPU 1

Analysis for CPU 2

Checking IDT and SYSENTER - complete

1.4 Searching for masking processes and drivers

Checking not performed: extended monitoring driver (AVZPM) is not installed

Driver loaded successfully

1.5 Checking of IRP handlers

Checking - complete

2. Scanning memory

Number of processes found: 33

Analyzer: process under analysis is 1088 C:\Arquivos de programas\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe

[ES]:Contains network functionality

[ES]:Application has no visible windows

Analyzer: process under analysis is 1668 C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE

[ES]:Application has no visible windows

[ES]:Located in system folder

Analyzer: process under analysis is 332 C:\Arquivos de programas\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe

[ES]:Contains network functionality

[ES]:Application has no visible windows

[ES]:Loads RASAPI DLL - may use dialing ?

Analyzer: process under analysis is 1508 C:\Arquivos de programas\Microsoft Windows OneCare Live\winssnotify.exe

[ES]:Contains network functionality

[ES]:Application has no visible windows

[ES]:Registered in autoruns !!

Analyzer: process under analysis is 1784 C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[ES]:Contains network functionality

[ES]:Application has no visible windows

[ES]:Registered in autoruns !!

[ES]:Loads RASAPI DLL - may use dialing ?

Analyzer: process under analysis is 2396 C:\ARQUIV~1\3M\PSNLite\PSNGive.exe

[ES]:Contains network functionality

[ES]:Application has no visible windows

Number of modules loaded: 329

Scanning memory - complete

3. Scanning disks

Direct reading C:\Arquivos de programas\Microsoft Windows OneCare Live\ClientSD\Ent.dat

Direct reading C:\Arquivos de programas\Microsoft Windows OneCare Live\ClientSD\Prov\service.xml

Direct reading C:\Arquivos de programas\Microsoft Windows OneCare Live\ClientSD\Prov\service.xml.bak

Direct reading C:\Arquivos de programas\Microsoft Windows OneCare Live\Database\edb.log

Direct reading C:\Arquivos de programas\Microsoft Windows OneCare Live\Database\tmp.edb

Direct reading C:\Arquivos de programas\Microsoft Windows OneCare Live\onecaremp_log.bin

Direct reading C:\Arquivos de programas\Microsoft Windows OneCare Live\WinSSSvc_log.bin

Direct reading C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr0.dat

Direct reading C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr1.dat

Direct reading C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\OneCare Protection\Support\MPLog-11242008-120143.log

Direct reading C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Protection Service\edb.log

Direct reading C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Protection Service\edbtmp.log

Direct reading C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Protection Service\MPSSVCPolicyIdLog.etl

Direct reading C:\Documents and Settings\Isabel Tavares\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat

Direct reading C:\Documents and Settings\Isabel Tavares\Configurações locais\Histórico\History.IE5\index.dat

Direct reading C:\Documents and Settings\Isabel Tavares\Configurações locais\Temporary Internet Files\Content.IE5\index.dat

Direct reading C:\Documents and Settings\Isabel Tavares\Cookies\index.dat

Direct reading C:\Documents and Settings\Isabel Tavares\Dados de aplicativos\3M\PSNotes\PSNData

Direct reading C:\Documents and Settings\Isabel Tavares\Dados de aplicativos\Skype\isabel_tavares\chat1024.dbb

Direct reading C:\Documents and Settings\Isabel Tavares\Dados de aplicativos\Skype\isabel_tavares\chat512.dbb

Direct reading C:\Documents and Settings\Isabel Tavares\Dados de aplicativos\Skype\isabel_tavares\chatmember256.dbb

Direct reading C:\Documents and Settings\Isabel Tavares\Dados de aplicativos\Skype\isabel_tavares\chatmsg1024.dbb

Direct reading C:\Documents and Settings\Isabel Tavares\Dados de aplicativos\Skype\isabel_tavares\chatmsg2048.dbb

Direct reading C:\Documents and Settings\Isabel Tavares\Dados de aplicativos\Skype\isabel_tavares\chatmsg256.dbb

Direct reading C:\Documents and Settings\Isabel Tavares\Dados de aplicativos\Skype\isabel_tavares\chatmsg4096.dbb

Direct reading C:\Documents and Settings\Isabel Tavares\Dados de aplicativos\Skype\isabel_tavares\chatmsg512.dbb

Direct reading C:\Documents and Settings\Isabel Tavares\Dados de aplicativos\Skype\isabel_tavares\dyncontent\bundle.dat

Direct reading C:\Documents and Settings\Isabel Tavares\Dados de aplicativos\Skype\isabel_tavares\index2.dat

Direct reading C:\Documents and Settings\Isabel Tavares\Dados de aplicativos\Skype\isabel_tavares\transfer512.dbb

Direct reading C:\Documents and Settings\Isabel Tavares\Dados de aplicativos\Skype\isabel_tavares\user1024.dbb

Direct reading C:\Documents and Settings\Isabel Tavares\Dados de aplicativos\Skype\isabel_tavares\user16384.dbb

Direct reading C:\Documents and Settings\Isabel Tavares\Dados de aplicativos\Skype\isabel_tavares\user4096.dbb

Direct reading C:\Documents and Settings\Isabel Tavares\NTUSER.DAT

Direct reading C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat

Direct reading C:\Documents and Settings\LocalService\Configurações locais\Histórico\History.IE5\index.dat

Direct reading C:\Documents and Settings\LocalService\Configurações locais\Temporary Internet Files\Content.IE5\index.dat

Direct reading C:\Documents and Settings\LocalService\Cookies\index.dat

Direct reading C:\Documents and Settings\LocalService\NTUSER.DAT

Direct reading C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat

Direct reading C:\Documents and Settings\NetworkService\NTUSER.DAT

C:\System Volume Information\_restore{6CB5D046-2D27-4D92-8FF7-DE8838AD5638}\RP58\A0012030.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)

File quarantined succesfully (C:\System Volume Information\_restore{6CB5D046-2D27-4D92-8FF7-DE8838AD5638}\RP58\A0012030.com)

Direct reading C:\System Volume Information\_restore{6CB5D046-2D27-4D92-8FF7-DE8838AD5638}\RP60\change.log

C:\WINDOWS\ie7\reg00108 >>> suspicion for VirTool.Win32.SehTr ( 00032A56 00000000 0019178F 00000000 8192)

File quarantined succesfully (C:\WINDOWS\ie7\reg00108)

Direct reading C:\WINDOWS\SchedLgU.Txt

Direct reading C:\WINDOWS\SoftwareDistribution\ReportingEvents.log

Direct reading C:\WINDOWS\system32\CatRoot2\edb.log

Direct reading C:\WINDOWS\system32\CatRoot2\tmp.edb

Direct reading C:\WINDOWS\system32\config\AppEvent.Evt

Direct reading C:\WINDOWS\system32\config\default

Direct reading C:\WINDOWS\system32\config\Internet.evt

Direct reading C:\WINDOWS\system32\config\MSFWSVC.evt

Direct reading C:\WINDOWS\system32\config\ODiag.evt

Direct reading C:\WINDOWS\system32\config\OSession.evt

Direct reading C:\WINDOWS\system32\config\SAM

Direct reading C:\WINDOWS\system32\config\SecEvent.Evt

Direct reading C:\WINDOWS\system32\config\SECURITY

Direct reading C:\WINDOWS\system32\config\SysEvent.Evt

Direct reading C:\WINDOWS\system32\config\system

Direct reading C:\WINDOWS\system32\config\Windows_OneCare_Evt.evt

Direct reading C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR

Direct reading C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP

Direct reading C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP

Direct reading C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA

Direct reading C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP

Direct reading C:\WINDOWS\Temp\Perflib_Perfdata_23c.dat

Direct reading C:\WINDOWS\Temp\Perflib_Perfdata_6b0.dat

Direct reading C:\WINDOWS\WindowsUpdate.log

4. Checking Winsock Layered Service Provider (SPI/LSP)

LSP settings checked. No errors detected

5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)

C:\Arquivos de programas\SmartFTP Client\sfShellTools.dll --> Suspicion for Keylogger or Trojan DLL

C:\Arquivos de programas\SmartFTP Client\sfShellTools.dll>>> Behavioural analysis

Behaviour typical for keyloggers not detected

File quarantined succesfully (C:\Arquivos de programas\SmartFTP Client\sfShellTools.dll)

Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs

6. Searching for opened TCP/UDP ports used by malicious programs

Checking disabled by user

7. Heuristic system check

Checking - complete

8. Searching for vulnerabilities

>> Services: potentially dangerous service allowed: TermService (Serviços de terminal)

>> Services: potentially dangerous service allowed: SSDPSRV (Serviço de descoberta SSDP)

>> Services: potentially dangerous service allowed: Schedule (Agendador de tarefas)

>> Services: potentially dangerous service allowed: mnmsrvc (Compartilhamento remoto da área de trabalho do NetMeeting)

>> Services: potentially dangerous service allowed: RDSessMgr (Gerenciador de sessão de ajuda de área de trabalho remota)

> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!

>> Security: disk drives' autorun is enabled

>> Security: administrative shares (C$, D$ ...) are enabled

>> Security: anonymous user access is enabled

>> Security: sending Remote Assistant queries is enabled

Checking - complete

9. Troubleshooting wizard

>> HDD autorun are allowed

>> Autorun from network drives are allowed

>> Removable media autorun are allowed

Checking - complete

Files scanned: 255830, extracted from archives: 146873, malicious software found 0, suspicions - 1

Scanning finished at 29/1/2009 09:42:57

Time of scanning: 00:54:40

If you have a suspicion on presence of viruses or questions on the suspected objects,

you can address http://virusinfo.info conference

 

 

Obrigada novamente e fico no aguardo de sua valiosa ajuda :)

 

 

Isabel

[DigRam 144]

Boa Tarde! BelTavares

 

<@> Baixe: < OTMoveIt3 >

<@> Salve-o no desktop e,execute-o aí mesmo!

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

:Processes

explorer.exe

:Services

hirfkhfblgblk

:Files

c:\windows\system32\drivers\bzhgci.sys

:Commands

[purity]

[emptytemp]

[start explorer]

[Reboot]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

<@> Copie e cole estas informações,entre os XXXXX...,para o campo ( clipboard ),da ferramenta.

<@> Ps: Área abaixo de "Paste Instructions for Items to be Moved".

<@> Clique em MoveIt.

<@> Na solicitação de reboot,confirme!

<@> Terminando,verifique o conteúdo texto da pasta: C:\_OTMoveIt\MovedFiles

<@> Copie e poste,seu relatório mais recente: C:\_OTMoveIt\MovedFiles\xxxx2009_xxxxxx.log <--

<@> Ps: Como a ferramenta não sobreescreve seus relatórios,há que observar o que foi gerado após sua execução.

-------------------------------

<@> Vá a este link,e baixe: < alwarebytes >

<@> Atualize o programa!

<@> Escolha o escaneamento Rápido!

<@> Desabilite programas de proteção,ao executar o malwarebytes.

<@> Procure enviar os ítens detectados para a quarentena,clicando em Remover itens.

<@> Para maiores detalhes: < Link >

-------------------------------

<@> Poste,também,os relatórios: mbam-log-2009-xx-xx (00-00-00).txt + HijackThis,atualizado.

 

Abraços!

[BelTavares 0]

Olá DigRam, muito obrigada pela sua resposta!

 

Seguem os logs:

 

OTMoveIt3 :

 

========== PROCESSES ==========

Process explorer.exe killed successfully.

========== SERVICES/DRIVERS ==========

Service hirfkhfblgblk stopped successfully.

Service hirfkhfblgblk deleted successfully.

========== FILES ==========

File/Folder c:\windows\system32\drivers\bzhgci.sys not found.

========== COMMANDS ==========

File delete failed. C:\DOCUME~1\ISABEL~1\CONFIG~1\Temp\~DF71C.tmp scheduled to be deleted on reboot.

File delete failed. C:\DOCUME~1\ISABEL~1\CONFIG~1\Temp\~DF7E5D.tmp scheduled to be deleted on reboot.

File delete failed. C:\DOCUME~1\ISABEL~1\CONFIG~1\Temp\~DF7E83.tmp scheduled to be deleted on reboot.

File delete failed. C:\DOCUME~1\ISABEL~1\CONFIG~1\Temp\~DFDBA4.tmp scheduled to be deleted on reboot.

User's Temp folder emptied.

User's Temporary Internet Files folder emptied.

User's Internet Explorer cache folder emptied.

Local Service Temp folder emptied.

Local Service Temporary Internet Files folder emptied.

File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_15c.dat scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_70c.dat scheduled to be deleted on reboot.

Windows Temp folder emptied.

Java cache emptied.

Temp folders emptied.

Explorer started successfully

 

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01302009_084922

 

Files moved on Reboot...

File C:\DOCUME~1\ISABEL~1\CONFIG~1\Temp\~DF71C.tmp not found!

File C:\DOCUME~1\ISABEL~1\CONFIG~1\Temp\~DF7E5D.tmp not found!

File C:\DOCUME~1\ISABEL~1\CONFIG~1\Temp\~DF7E83.tmp not found!

C:\DOCUME~1\ISABEL~1\CONFIG~1\Temp\~DFDBA4.tmp moved successfully.

File C:\WINDOWS\temp\Perflib_Perfdata_15c.dat not found!

File C:\WINDOWS\temp\Perflib_Perfdata_70c.dat not found!

 

 

______________________________________________________________________

 

 

Malwarebytes' Anti-Malware 1.33

Versão do banco de dados: 1707

Windows 5.1.2600 Service Pack 3

 

30/1/2009 09:03:25

mbam-log-2009-01-30 (09-03-24).txt

 

Tipo de Verificação: Rápida

Objetos verificados: 50576

Tempo decorrido: 4 minute(s), 21 second(s)

 

Processos da Memória infectados: 0

Módulos de Memória Infectados: 0

Chaves do Registro infectadas: 1

Valores do Registro infectados: 0

Ítens do Registro infectados: 0

Pastas infectadas: 0

Arquivos infectados: 0

 

Processos da Memória infectados:

(Nenhum ítem malicioso foi detectado)

 

Módulos de Memória Infectados:

(Nenhum ítem malicioso foi detectado)

 

Chaves do Registro infectadas:

HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

 

Valores do Registro infectados:

(Nenhum ítem malicioso foi detectado)

 

Ítens do Registro infectados:

(Nenhum ítem malicioso foi detectado)

 

Pastas infectadas:

(Nenhum ítem malicioso foi detectado)

 

Arquivos infectados:

(Nenhum ítem malicioso foi detectado)

 

______________________________________________________________________

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:04:39, on 30/1/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Microsoft Windows OneCare Live\OcHealthMon.exe

C:\Arquivos de programas\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe

C:\Arquivos de programas\Microsoft Windows OneCare Live\winss.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Microsoft Windows OneCare Live\winssnotify.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\3M\PSNLite\PsnLite.exe

C:\ARQUIV~1\3M\PSNLite\PSNGive.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe

C:\Arquivos de programas\Outlook Express\msimn.exe

C:\Hijack\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [OneCareUI] "C:\Arquivos de programas\Microsoft Windows OneCare Live\winssnotify.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Arquivos de programas\3M\PSNLite\PsnLite.exe

O8 - Extra context menu item: Append to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Sothink SWF Catcher - C:\Arquivos de programas\Arquivos comuns\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Arquivos de programas\Arquivos comuns\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Arquivos de programas\Arquivos comuns\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u1...ows-i586-jc.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe

 

--

End of file - 8446 bytes

 

 

Muito obrigada novamente.

 

 

Isabel

[DigRam 144]

Bom Dia! BelTavares

 

<!> Limpe a quarentena do avz4.

-------------------------

<!> Abra o OTMoveIt3 --> Clique em CleanUp --> Aguarde!

-------------------------

<@> Baixe: < CCleaner >

<@> Salve-o no Desktop!

<@> Com a opção < Limpador >,já selecionada,clique em Analisar. --> Aguarde o progresso!

<@> Terminando,clique em Executar Cleaner.

<@> Na janela que surgir,dê o Ok. --> Aguarde o progresso!

<@> Selecionando a opção Registro,clique em Procurar erros.

<@> Terminando,clique em Corrigir erros selecionados...

<@> Na pergunta,clique em Sim!

<@> Nomeie os backups e clique em Salvar.

<@> Por alguns dias,estando tudo Ok,poderá deletar esse arquivo de backup. ( .reg )

<@> Na janela que aparecer,clique em: "Corrigir todos os erros selecionados"

<@> Clique em Ok --> Fechar.

<@> Para maiores detalhes,leia o Tutorial: < Link >

-------------------------

<!> Como está seu computador?

<!> Os problemas ainda permanecem?

 

Abraços!

[BelTavares 0]

Digram

 

Muitíssimo obrigada... fiz os procedimentos que você me passou... esperei uns 2 dias para te responder pois estava monitorando meu micro pra ver se as alterações tinham surtido efeito. E funcionou!

 

Não tenho mais os problemas apresentados antes. Agora está tudo correto. Muito obrigada!

 

A única coisa que eu ainda noto quando visualizo os processos do meu micro é que, o processo svchost.exe sempre está aparecendo 5 vezes.

Outra coisa é que o iexplorer.exe está sempre utilizando uma grande parte da memória, normalmente acima de 280.950 K.

Isso é normal?

 

Obrigada novamente, é a primeira vez que dão real atenção a um post meu aqui no Fórum.

 

Isabel

[DigRam 144]

Boa Noite! BelTavares

 

A única coisa que eu ainda noto quando visualizo os processos do meu micro é que, o processo svchost.exe sempre está aparecendo 5 vezes.

<!> É normal,essas várias instâncias do svchost.exe,que é um gerenciador de serviços.

 

Outra coisa é que o iexplorer.exe está sempre utilizando uma grande parte da memória, normalmente acima de 280.950 K.

Isso é normal?

<!> Não é normal e,voçê deverá desabilitar alguns complementos do IE7,na busca ao programa que está solicitando essa demanda da memória.

<!> O Skype é um forte suspeito,mas...podem existir outros.

<!> Ao desabilitar os Complementos do IE7,vá sempre ao Gerenciador de tarefas e verifique se houve uma substancial redução,da taxa de consumo no iexplorer.exe.

 

Abraços!

[Mário Monteiro 179]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.