[Arquivado] Log do combofix/Hijackthis

ronald-sg · Janeiro 27, 2009

Estou postando logs para analise sobre remoção de virus.

Um Abraço a todos.

Combofix

ComboFix 09-01-21.04 - DIEGO 2009-01-26 11:42:57.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.446.144 [GMT -2:00]

Executando de: c:\documents and settings\DIEGO\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

* Criado um novo ponto de restauro

ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

ADS - WINDOWS: deleted 72 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\autorun.inf

c:\documents and settings\DIEGO\ravmonlog

c:\windows\system32\AutoRun.inf

c:\windows\system32\autorun.ini

c:\windows\system32\autorun.reg

c:\windows\TRANSFORMERS.DLL

c:\windows\wnetsock08.dll

D:\Autorun.inf

.

(((((((((((((((( Arquivos/Ficheiros criados de 2008-12-26 to 2009-01-26 ))))))))))))))))))))))))))))

.

2009-01-26 11:36 . 2009-01-26 11:36 <DIR> d-------- c:\arquivos de programas\VS Revo Group

2009-01-26 11:00 . 2004-08-04 00:45 116,224 --a--c--- c:\windows\system32\dllcache\xrxwiadr.dll

2009-01-26 11:00 . 2001-09-05 23:50 99,865 --a--c--- c:\windows\system32\dllcache\xlog.exe

2009-01-26 11:00 . 2001-09-05 23:50 27,648 --a--c--- c:\windows\system32\dllcache\xrxftplt.exe

2009-01-26 11:00 . 2001-09-05 23:50 23,040 --a--c--- c:\windows\system32\dllcache\xrxwbtmp.dll

2009-01-26 11:00 . 2004-08-03 22:29 19,455 --a--c--- c:\windows\system32\dllcache\wvchntxx.sys

2009-01-26 11:00 . 2001-09-05 23:50 17,408 --a--c--- c:\windows\system32\dllcache\xrxscnui.dll

2009-01-26 11:00 . 2001-08-17 20:11 16,970 --a--c--- c:\windows\system32\dllcache\xem336n5.sys

2009-01-26 11:00 . 2004-08-03 22:29 12,063 --a--c--- c:\windows\system32\dllcache\wsiintxx.sys

2009-01-26 11:00 . 2004-08-04 00:45 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll

2009-01-26 11:00 . 2001-09-05 23:50 4,608 --a--c--- c:\windows\system32\dllcache\xrxflnch.exe

2009-01-26 10:58 . 2001-09-05 23:50 525,568 --a--c--- c:\windows\system32\dllcache\tridxp.dll

2009-01-26 10:57 . 2001-09-05 23:50 114,688 --a--c--- c:\windows\system32\dllcache\sonypi.dll

2009-01-26 10:57 . 2001-08-17 20:51 37,040 --a--c--- c:\windows\system32\dllcache\sonypi.sys

2009-01-26 10:57 . 2001-08-17 20:51 20,752 --a--c--- c:\windows\system32\dllcache\sonync.sys

2009-01-26 10:57 . 2001-08-17 21:53 9,600 --a--c--- c:\windows\system32\dllcache\sonymc.sys

2009-01-26 10:57 . 2004-08-03 23:00 7,552 --a--c--- c:\windows\system32\dllcache\sonyait.sys

2009-01-26 10:57 . 2001-08-17 21:53 7,040 --a--c--- c:\windows\system32\dllcache\snyaitmc.sys

2009-01-26 10:52 . 2001-09-05 23:50 495,616 --a--c--- c:\windows\system32\dllcache\sblfx.dll

2009-01-26 10:51 . 2001-09-05 23:50 86,097 --a--c--- c:\windows\system32\dllcache\reslog32.dll

2009-01-26 10:51 . 2004-08-04 00:36 79,360 --a--c--- c:\windows\system32\dllcache\rocket.sys

2009-01-26 10:51 . 2004-08-03 23:10 59,648 --a--c--- c:\windows\system32\dllcache\rfcomm.sys

2009-01-26 10:51 . 2001-08-17 20:12 37,563 --a--c--- c:\windows\system32\dllcache\rlnet5.sys

2009-01-26 10:51 . 2001-08-17 20:19 30,720 --a--c--- c:\windows\system32\dllcache\rthwcls.sys

2009-01-26 10:51 . 2004-08-03 23:04 30,080 --a--c--- c:\windows\system32\dllcache\rndismpx.sys

2009-01-26 10:51 . 2001-09-05 23:50 9,728 --a--c--- c:\windows\system32\dllcache\rsmgrstr.dll

2009-01-26 10:51 . 2001-08-17 20:19 3,840 --a--c--- c:\windows\system32\dllcache\rpfun.sys

2009-01-26 10:49 . 2004-08-04 00:45 4,274,816 --a--c--- c:\windows\system32\dllcache\nv4_disp.dll

2009-01-26 10:48 . 2004-08-04 00:45 1,737,856 --a--c--- c:\windows\system32\dllcache\mtxparhd.dll

2009-01-26 10:47 . 2009-01-26 10:47 <DIR> d--h----- c:\windows\system32\GroupPolicy

2009-01-26 10:46 . 2001-08-17 21:28 802,683 --a--c--- c:\windows\system32\dllcache\ltsm.sys

2009-01-26 10:45 . 2004-08-04 00:45 153,600 --a--c--- c:\windows\system32\dllcache\irftp.exe

2009-01-26 10:44 . 2004-08-03 22:41 1,041,536 --a--c--- c:\windows\system32\dllcache\hsfdpsp2.sys

2009-01-26 10:43 . 2001-09-05 23:49 1,733,120 --a--c--- c:\windows\system32\dllcache\g400d.dll

2009-01-26 10:42 . 2001-09-05 23:11 634,166 --a--c--- c:\windows\system32\dllcache\el656ct5.sys

2009-01-26 10:41 . 2001-08-17 20:14 952,007 --a--c--- c:\windows\system32\dllcache\diwan.sys

2009-01-26 10:40 . 2001-09-05 23:17 980,034 --a--c--- c:\windows\system32\dllcache\cicap.sys

2009-01-26 10:39 . 2004-08-04 00:45 1,888,992 --a--c--- c:\windows\system32\dllcache\ati3duag.dll

2009-01-26 10:38 . 2001-08-17 20:12 97,354 --a--c--- c:\windows\system32\dllcache\aspndis3.sys

2009-01-26 10:37 . 2001-08-17 22:07 56,960 --a--c--- c:\windows\system32\dllcache\aic78xx.sys

2009-01-26 10:36 . 2004-08-04 00:45 4,255 --a--c--- c:\windows\system32\dllcache\adv01nt5.dll

2009-01-26 10:36 . 2004-08-04 00:45 3,967 --a--c--- c:\windows\system32\dllcache\adv02nt5.dll

2009-01-26 10:36 . 2004-08-04 00:45 3,775 --a--c--- c:\windows\system32\dllcache\adv11nt5.dll

2009-01-26 10:36 . 2004-08-04 00:45 3,711 --a--c--- c:\windows\system32\dllcache\adv09nt5.dll

2009-01-26 10:36 . 2004-08-04 00:45 3,647 --a--c--- c:\windows\system32\dllcache\adv07nt5.dll

2009-01-26 10:36 . 2004-08-04 00:45 3,615 --a--c--- c:\windows\system32\dllcache\adv05nt5.dll

2009-01-26 10:36 . 2004-08-04 00:45 3,135 --a--c--- c:\windows\system32\dllcache\adv08nt5.dll

2009-01-26 10:33 . 2001-09-05 23:49 66,048 --a--c--- c:\windows\system32\dllcache\s3legacy.dll

2009-01-24 08:08 . 2009-01-24 08:08 286,720 --------- c:\windows\Setup1.exe

2009-01-24 08:08 . 2009-01-24 08:08 73,216 --a------ c:\windows\ST6UNST.EXE

2009-01-24 08:02 . 2009-01-24 08:02 <DIR> d-------- C:\Aplicativos

2009-01-23 07:31 . 2009-01-23 07:31 <DIR> d-------- c:\arquivos de programas\Documents and Settings

2009-01-16 17:28 . 2009-01-16 17:29 <DIR> d-------- C:\BancoBrasil

2009-01-16 16:29 . 2009-01-16 16:29 201 --a------ C:\aapj.properties

2009-01-16 16:26 . 2009-01-16 16:26 <DIR> d-------- C:\bancodobrasil

2009-01-16 16:13 . 2009-01-16 16:13 <DIR> d-------- c:\windows\ServicePackFiles

2009-01-16 16:09 . 2007-08-10 08:12 33,656 --a------ c:\windows\system32\sprecovr.exe

2009-01-16 16:06 . 2001-10-28 13:06 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll

2009-01-16 11:57 . 2009-01-22 12:38 <DIR> d--h----- C:\$AVG8.VAULT$

2009-01-16 11:54 . 2009-01-26 09:07 <DIR> d-------- c:\windows\system32\drivers\Avg

2009-01-16 11:54 . 2009-01-16 11:54 98,440 --a------ c:\windows\system32\drivers\avgldx86.sys

2009-01-16 11:54 . 2009-01-16 11:54 90,632 --a------ c:\windows\system32\drivers\avgtdix.sys

2009-01-16 11:54 . 2009-01-16 11:54 10,520 --a------ c:\windows\system32\avgrsstx.dll

2009-01-16 11:53 . 2009-01-26 11:38 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\avg8

2009-01-16 11:53 . 2009-01-16 11:53 <DIR> d-------- c:\arquivos de programas\AVG

2009-01-16 11:30 . 2006-04-19 16:50 788,224 --a------ c:\windows\system32\drivers\BisonCam.sys

2009-01-16 11:30 . 2005-01-14 13:47 180,224 --a------ c:\windows\system\StillDrv.dll

2009-01-16 11:30 . 2005-09-30 14:41 126,976 --a------ c:\windows\system\BisonCam.dll

2009-01-16 11:30 . 2005-09-30 14:41 90,112 --a------ c:\windows\system\BisonVfw.dll

2009-01-16 11:30 . 2005-11-17 22:57 73,846 --a------ c:\windows\system32\BisonRem.dll

2009-01-16 11:30 . 2003-09-22 13:49 15,190 --a------ c:\windows\M2000Twn.ini

2009-01-16 11:30 . 2003-09-22 14:36 13,448 --a------ c:\windows\M2000Twn.src

2009-01-16 11:30 . 2005-12-05 12:08 2,264 --a------ c:\windows\system\S20H0220.csr

2009-01-16 11:30 . 2005-12-05 12:08 2,264 --a------ c:\windows\system\S20F0220.csr

2009-01-16 11:27 . 2009-01-17 16:26 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Bluetooth

2009-01-16 11:22 . 2004-08-04 00:45 91,136 --a------ c:\windows\system32\drivers\kswdmcap.ax

2009-01-16 11:22 . 2004-08-04 00:45 61,952 --a------ c:\windows\system32\drivers\kstvtune.ax

2009-01-16 11:22 . 2004-08-04 00:45 54,784 --a------ c:\windows\system32\drivers\vfwwdm32.dll

2009-01-16 11:22 . 2004-08-04 00:45 43,008 --a------ c:\windows\system32\drivers\ksxbar.ax

2009-01-16 11:22 . 2004-08-04 00:45 28,672 --a------ c:\windows\system32\drivers\vidcap.ax

2009-01-16 11:08 . 2006-07-19 04:18 180,480 -ra------ c:\windows\system32\drivers\RTL8187.sys

2008-12-30 14:32 . 2008-12-30 14:32 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Elaborate Bytes

2008-12-30 14:29 . 2008-12-30 14:43 <DIR> d-------- c:\arquivos de programas\Elaborate Bytes

2008-12-30 14:19 . 2008-12-30 14:19 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\SlySoft

2008-12-30 14:11 . 2008-12-30 14:12 24 --ahs---- c:\windows\S4EEC995C.tmp

2008-12-30 14:07 . 2008-12-30 14:43 <DIR> d-------- c:\arquivos de programas\SlySoft

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-23 14:46 --------- d-----w c:\arquivos de programas\eMule

2009-01-23 09:35 --------- d-----w c:\arquivos de programas\S3

2009-01-23 09:31 --------- d-----w c:\arquivos de programas\Arquivos comuns\Adobe

2009-01-19 11:03 --------- d-----w c:\arquivos de programas\Windows Live

2009-01-17 18:25 --------- d-----w c:\arquivos de programas\easyMule

2009-01-16 19:28 --------- d--h--w c:\arquivos de programas\InstallShield Installation Information

2008-12-18 23:21 --------- d--h--w c:\documents and settings\All Users\Dados de aplicativos\{8477994D-889C-43C2-80D8-0B371F90DD94}

2008-12-18 23:21 --------- d-----w c:\arquivos de programas\Visiosonic

2008-12-18 02:06 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\WLInstaller

2008-12-18 01:02 --------- d-----w c:\arquivos de programas\Arquivos comuns\Windows Live

2008-12-11 21:06 384,512 ----a-w c:\windows\Media\AuxImgDll.dll

2008-12-11 21:05 0 ----a-w c:\documents and settings\DIEGO\Emails.dat

2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-08 01:05 --------- d-----w c:\arquivos de programas\Intelig

2008-12-07 20:29 --------- d-----w c:\arquivos de programas\Java

2008-12-02 12:34 --------- d-----w c:\arquivos de programas\Microsoft Silverlight

2008-12-02 03:04 --------- d-----w c:\arquivos de programas\Windows Live Toolbar

2008-12-02 03:04 --------- d-----w c:\arquivos de programas\Windows Live Favorites

2006-07-30 12:20 959 --sha-r c:\windows\system32\autorun.bin

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{9CB65206-89C4-402c-BA80-02D8C59F9B1D}"= "c:\arquivos de programas\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL" [2008-10-25 57344]

"{EEE6C35D-6118-11DC-9C72-001320C79847}"= "c:\arquivos de programas\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2008-10-08 173368]

[HKEY_CLASSES_ROOT\clsid\{9cb65206-89c4-402c-ba80-02d8c59f9b1d}]

[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]

[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]

[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]

[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]

2008-10-08 12:22 1172792 --a------ c:\arquivos de programas\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\arquivos de programas\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-10-08 1172792]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]

[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]

[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]

[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\arquivos de programas\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-10-08 1172792]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]

[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]

[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]

[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"Windows Service help"="c:\recycler\S-1-5-21-8704067323-8321749387-696667452-4469\winservices.exe" [2009-01-08 90112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HDAudDeck"="c:\arquivos de programas\VIA\VIAudioi\HDADeck\HDeck.exe" [2007-04-16 778240]

"SynTPEnh"="c:\arquivos de programas\Synaptics\SynTP\SynTPEnh.exe" [2006-10-12 815104]

"SMSERIAL"="c:\arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 630784]

"SweetIM"="c:\arquivos de programas\SweetIM\Messenger\SweetIM.exe" [2008-11-17 111928]

"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre6\bin\jusched.exe" [2008-12-07 136600]

"BisonTrayIcon"="c:\windows\BisonCam\BisonTrayIcon.exe" [2005-09-05 45056]

"BisonHK"="c:\windows\BisonCam\BisonHK.exe" [2007-01-13 73728]

"CHotkey"="mHotkey.exe" [2005-12-15 c:\windows\mHotkey.exe]

"showwnd"="showwnd.exe" [2003-09-18 c:\windows\ShowWnd.exe]

"VTTimer"="VTTimer.exe" [2006-09-21 c:\windows\system32\VTTimer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

Ralink Wireless Utility.lnk - c:\arquivos de programas\RALINK\Common\RaUI.exe [2008-11-11 2101248]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"c:\\Arquivos de programas\\eMule\\emule.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\WINDOWS\\system32\\rtcshare.exe"=

"c:\\Arquivos de programas\\NetMeeting\\conf.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"18865:TCP"= 18865:TCP:NortonAV

"16149:TCP"= 16149:TCP:NortonAV

"14248:TCP"= 14248:TCP:NortonAV

"13363:TCP"= 13363:TCP:NortonAV

"17317:TCP"= 17317:TCP:NortonAV

"16044:TCP"= 16044:TCP:NortonAV

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-16 98440]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-16 90632]

R4 avg8emc;AVG Free8 E-mail Scanner;c:\arquiv~1\AVG\AVG8\avgemc.exe [2009-01-16 874776]

R4 avg8wd;AVG Free8 WatchDog;c:\arquiv~1\AVG\AVG8\avgwdsvc.exe [2009-01-16 231704]

S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2009-01-16 180480]

S4 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [2009-01-16 634880]

--- ---

*NewlyCreated* - ASPI32

*Deregistered* - ASPI32

.

Conteúdo da pasta 'Tarefas Agendadas'

.

- - - - ORFÃOS REMOVIDOS - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

HKCU-Run-ares - c:\arquivos de programas\Ares\Ares.exe

HKCU-Run-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe

HKCU-Run-MsnMsgr - ~c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe

HKCU-Run-PackageAware - c:\documents and settings\DIEGO\Local Settings\Application Data\PackageAware\mpa.exe

HKLM-Run-NBKeyScan - c:\arquivos de programas\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

HKLM-Run-DrvStart - c:\windows\Media\HPMedia.exe

HKLM-Run-S3Trayp - S3trayp.exe

.

------- Scan Suplementar -------

.

mStart Page = hxxp://home.sweetim.com

IE: &Windows Live Search - c:\arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: {1FB5FF0D-2646-452D-AB60-DE8713529D73} = 200.251.143.2,200.251.143.3

TCP: {2C1A576A-BF24-4425-BC92-91B316666652} = 200.251.143.2,200.251.143.3

TCP: {3612EEF1-4836-4AF2-B5A8-AE7EC4887EB6} = 200.251.143.2,200.251.143.3

TCP: {FF944DE2-7E4D-4A8D-91D4-8979B42F4836} = 200.251.143.2,200.251.143.3

FF - ProfilePath - c:\documents and settings\DIEGO\Dados de aplicativos\Mozilla\Firefox\Profiles\y3hrxm63.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=

FF - prefs.js: browser.search.selectedEngine - SweetIM Search

FF - prefs.js: browser.startup.homepage - hxxp://home.sweetim.com

FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=

FF - component: c:\arquivos de programas\AVG\AVG8\Firefox\components\avgssff.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-26 11:47:08

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HDAudDeck = c:\arquivos de programas\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????????????

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MsnMsgr = ~"c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background?

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|ÿÿÿÿ"•€|þ»Òw*]

"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquivos de programas\Java\jre6\bin\jqs.exe

c:\arquivos de programas\AVG\AVG8\avgrsx.exe

c:\arquiv~1\AVG\AVG8\avgnsx.exe

c:\windows\system32\wbem\wmiapsrv.exe

.

**************************************************************************

.

Tempo para conclusão: 2009-01-26 11:50:15 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-01-26 13:50:09

PrÚ-execuþÒo: 3.439.173.632 bytes dispon¡veis

P¾s execuþÒo: 4,467,695,616 bytes dispon¡veis

267 --- E O F --- 2009-01-26 13:17:16

Hijackthis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:11:01, on 27/1/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\VIA\VIAudioi\HDADeck\HDeck.exe

C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\BisonCam\BisonTrayIcon.exe

C:\WINDOWS\BisonCam\BisonHK.exe

C:\ARQUIV~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\RALINK\Common\RaUI.exe

C:\ARQUIV~1\AVG\AVG8\avgrsx.exe

C:\ARQUIV~1\AVG\AVG8\avgnsx.exe

C:\ARQUIV~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Arquivos de programas\IObit\Advanced SystemCare 3\AWC.exe

G:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Arquivos de programas\SweetIM\Toolbars\Internet Explorer\mgHelper.dll

R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Arquivos de programas\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG8\avgssie.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Arquivos de programas\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Arquivos de programas\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Arquivos de programas\AskTBar\bar\1.bin\ASKTBAR.DLL

O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Arquivos de programas\AskTBar\bar\1.bin\ASKTBAR.DLL

O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Arquivos de programas\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [HDAudDeck] C:\Arquivos de programas\VIA\VIAudioi\HDADeck\HDeck.exe 1

O4 - HKLM\..\Run: [sMSERIAL] C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM\..\Run: [showwnd] showwnd.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [bisonTrayIcon] C:\WINDOWS\BisonCam\BisonTrayIcon.exe

O4 - HKLM\..\Run: [bisonHK] C:\WINDOWS\BisonCam\BisonHK.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARQUIV~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Windows Service help] C:\RECYCLER\S-1-5-21-6267506197-6155153105-419372589-5439\winservices.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Arquivos de programas\RALINK\Common\RaUI.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O17 - HKLM\System\CCS\Services\Tcpip\..\{1FB5FF0D-2646-452D-AB60-DE8713529D73}: NameServer = 200.251.143.2,200.251.143.3

O17 - HKLM\System\CCS\Services\Tcpip\..\{2C1A576A-BF24-4425-BC92-91B316666652}: NameServer = 200.251.143.2,200.251.143.3

O17 - HKLM\System\CCS\Services\Tcpip\..\{3612EEF1-4836-4AF2-B5A8-AE7EC4887EB6}: NameServer = 200.251.143.2,200.251.143.3

O17 - HKLM\System\CCS\Services\Tcpip\..\{FF944DE2-7E4D-4A8D-91D4-8979B42F4836}: NameServer = 200.251.143.2,200.251.143.3

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

--

End of file - 6732 bytes

Silas Martins · Janeiro 28, 2009

Abra o HijackThis, clique em Do a system scan only, marque as entradas abaixo e clique em Fix checked:

O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Arquivos de programas\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Arquivos de programas\AskTBar\bar\1.bin\ASKTBAR.DLL

O4 - HKCU\..\Run: [Windows Service help] C:\RECYCLER\S-1-5-21-6267506197-6155153105-419372589-5439\winservices.exe

Faça o download do Killbox

Rode o Pocket KillBox e marque a opção Delete on Reboot.

Em Full Path of File to Delete, digite (ou copie e cole a linha abaixo):

C:\RECYCLER\S-1-5-21-6267506197-6155153105-419372589-5439\winservices.exe

Clique no [ X ] e responda Sim para que o computador seja reiniciado para a exclusão dos arquivos. Caso o PC não reinicie automaticamente, reinicie-o manualmente.

Apos feito isso prossiga:

Baixe o Norman Malware Cleaner aqui:http://superdownloads.uol.com.br/redir.cfm?softid=63672

Depois de instalado execute e adicione todas as áreas físicas e removiveis do seu pc ( ex: Ec: F: e outras) só então clique em Scan.

Apos isso poste o log do Hijackthis,juntamente com o log do Norman

ronald-sg · Fevereiro 3, 2009

Novo log hijackthis.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:29:43, on 3/2/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\VIA\VIAudioi\HDADeck\HDeck.exe

C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\BisonCam\BisonTrayIcon.exe

C:\WINDOWS\BisonCam\BisonHK.exe

C:\ARQUIV~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\Arquivos de programas\CoolSMS\CoolSMS.exe

C:\Arquivos de programas\RALINK\Common\RaUI.exe

C:\ARQUIV~1\AVG\AVG8\avgemc.exe

C:\ARQUIV~1\AVG\AVG8\avgrsx.exe

C:\ARQUIV~1\AVG\AVG8\avgnsx.exe

C:\Arquivos de programas\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\DIEGO\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Arquivos de programas\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL

R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Arquivos de programas\SweetIM\Toolbars\Internet Explorer\mgHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG8\avgssie.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)