[Resolvido!] Problemas com a inicialização...

roberta alana · Janeiro 28, 2009

meu pc tá muito lerdo na inicialização, sem contar q a barra de tarefas trava quando inicia...

então, peço para q analizem meu log...

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:27:45, on 28/1/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashDisp.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Arquivos de programas\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - C:\ARQUIV~1\FreshDevices\FreshDownload\fdiebar.dll

O4 - HKLM\..\Run: [avast!] "C:\Arquivos de programas\Alwil Software\Avast4\ashDisp.exe"

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User '?')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User '?')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: FreshDownload - {3EA0FF1C-D61E-43AF-B189-857FC94413BF} - C:\Arquivos de programas\FreshDevices\FreshDownload\fd.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrador\Menu Iniciar\Programas\IMVU\Run IMVU.lnk (file missing)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1221510508703

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL/jdk/6u...ows-i586-jc.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\Skype4COM.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

--

End of file - 6669 bytes

jgarcia · Janeiro 29, 2009

Opa roberta alana,

Baixe o ComboFix em:

ComboFix

1) Desabilite o seu anti-vírus temporariamente;

2) Dê um duplo-clique no combofix.exe e aguarde (o processo total demora cerca de 10 minutos);

3) A janela de “NEGAÇÃO DE GARANTIA DO SOFTWARE” abrir-se-á. Leia atentamente o texto contido nesta janela e clique sobre “SIM” para continuar.

PS.: Caso não concorde com os termos clique sobre “NÃO” para sair do software, cabendo lembrar que o processo de desinfecção não será possível sem a continuidade do ComboFix.

4) Outra janela irá abrir, caso a sua máquina não possua o CONSOLE DE RECUPERAÇÃO DO WINDOWS. É recomendável executar a instalação do console ante de dar continuidade ao processo, pois tal ação proporcionará a garantia de que o sistema poderá ser recuperado em caso de problemas durante a varredura.

Clique sobre “SIM” e aguarde, pois o processo de instalação do console dar-se-á automaticamente através do próprio ComboFix. Ele poderá demorar alguns minutos (dependerá da velocidade de sua conexão), portanto seja paciente.

Quando a janela “INSTALANDO O CONSOLE DE RECUPERAÇÃO” aparecer clique em “OK”, depois clique sobre “SIM” para aceitar a licença EULA.

Ao término da instalação do console de recuperação abrir-se-á uma janela avisando que “O CONSOLE DE RECUPERAÇÃO FOI INSTALADA COM SUCESSO”.

Clique sobre “SIM” para continuar a varredura.

5) O ComboFix iniciará o AUTOSCAN (aguarde).

ATENÇÃO: Não clique na janela do ComboFix, nem termine o processo abruptamente enquanto a ferramenta estiver sendo executada, pois isto implicará na desconfiguração de seu desktop (ele ficará todo branco).

Ao término do processo a máquina será reiniciada para a emissão do relatório.

6) Ao reiniciar a máquina o ComboFix irá executar o FIND3M para a criação do relatório final da varredura. O log ficará alocado em C:\ComboFix.txt.

7) Reabilite o seu anti-vírus;

8) Preciso que você cole o conteúdo do ComboFix.txt em sua próxima resposta.

OBS.1: Caso apareça uma mensagem avisando que ESTE NÃO É UM APLICATIVO WIN 32 VÁLIDO baixe o ComboFix novamente, mas salve-o em seu Desktop como KomboFix. Em último caso, tente utilizar o ComboFix em MODO SEGURO.

OBS.2: Caso haja um clique sobre a janela do ComboFix em execução, ela irá MAXIMIZAR, sobrepondo-se sobre as demais. Para minimizá-la novamente basta utilizar a combinação ALT + TAB.

Abraços.

roberta alana · Janeiro 30, 2009

ComboFix 09-01-21.04 - Administrador 2009-01-30 17:00:19.9 - NTFSx86

Running from: c:\documents and settings\Administrador\Desktop\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-30 )))))))))))))))))))))))))))))))

.

2009-01-30 16:59 . 2009-01-30 16:59 <DIR> d-------- C:\32788R22FWJFW

2009-01-28 11:04 . 2009-01-28 11:04 30 --a------ C:\prefetch.bat

2009-01-19 14:00 . 2009-01-19 14:00 <DIR> d-------- c:\arquivos de programas\Google

2009-01-18 23:04 . 2001-09-30 19:10 246,784 --a------ c:\windows\system32\ActiveSkin.ocx

2009-01-18 23:04 . 2001-05-24 12:59 162,304 --a------ C:\UNWISE.EXE

2009-01-18 23:04 . 2002-01-18 18:12 112 --a------ c:\windows\ActiveSkin.INI

2009-01-18 22:36 . 2009-01-18 22:36 <DIR> d-------- c:\windows\Downloaded Installations

2009-01-17 15:29 . 2009-01-17 15:29 <DIR> d-------- c:\documents and settings\Administrador\Dados de aplicativos\Malwarebytes

2009-01-17 15:27 . 2009-01-17 15:27 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes

2009-01-17 15:10 . 2009-01-17 15:10 <DIR> d-------- c:\windows\system32\VIRepair

2009-01-12 16:02 . 2009-01-12 16:19 <DIR> d-------- C:\Downloads

2009-01-12 15:48 . 2009-01-17 15:01 <DIR> d-------- c:\arquivos de programas\BitComet

2009-01-12 15:43 . 2009-01-12 15:45 <DIR> d-------- c:\documents and settings\Administrador\Dados de aplicativos\avidemux

2009-01-11 23:22 . 2004-11-27 19:00 94,208 --a------ c:\windows\system32\pskill.exe

2009-01-11 23:22 . 2009-01-11 23:22 78,942 --a------ c:\windows\Icon_4.ico

2009-01-11 23:11 . 2008-11-11 23:22 20,480 --a------ c:\windows\system32\scrnrdr.exe

2009-01-10 19:44 . 2009-01-10 19:44 <DIR> d-------- c:\arquivos de programas\Secway

2009-01-10 19:39 . 2009-01-10 19:39 <DIR> d-------- c:\arquivos de programas\Microsoft

2009-01-09 00:19 . 2009-01-09 00:19 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Messenger Plus!

2009-01-08 22:59 . 2009-01-11 11:04 <DIR> d-------- c:\arquivos de programas\Messenger Plus! Live

2009-01-08 21:46 . 2009-01-17 15:02 <DIR> d-------- c:\arquivos de programas\SimilarImages

2009-01-08 14:38 . 2009-01-08 21:31 <DIR> d-------- c:\arquivos de programas\MSN Messenger

2009-01-03 02:49 . 2009-01-03 02:49 <DIR> d-------- c:\arquivos de programas\Windows Live Safety Center

2008-12-22 01:37 . 2008-12-22 01:37 <DIR> d-------- c:\arquivos de programas\GIMP-2.0

2008-12-21 17:11 . 2008-12-21 17:11 <DIR> d-------- c:\arquivos de programas\PluginLetras

2008-12-19 19:51 . 2008-12-19 19:51 <DIR> d-------- c:\arquivos de programas\Windows Live SkyDrive

2008-12-19 17:29 . 2008-12-21 17:10 <DIR> d-------- c:\arquivos de programas\Paint.NET

2008-12-14 18:55 . 2008-10-03 08:04 247,326 --------- c:\windows\system32\dllcache\strmdll.dll

2008-12-12 10:44 . 2008-12-12 10:44 78,942 --a------ c:\windows\Icon_3.ico

2008-12-06 21:15 . 2008-08-09 09:24 59,728 --a------ C:\msimg32.dll

2008-12-04 23:01 . 2008-12-04 23:17 <DIR> d-------- C:\cmdcons(2)

2008-12-02 22:37 . 2008-12-02 22:37 49,480 --a------ c:\windows\system32\sirenacm.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-29 13:38 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\LimeWire

2009-01-29 03:16 --------- dc----w c:\arquivos de programas\LimeWire

2009-01-29 01:22 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\gtk-2.0

2009-01-26 03:05 --------- dc----w c:\arquivos de programas\CCleaner

2009-01-23 16:16 --------- dc----w c:\arquivos de programas\IObit

2009-01-17 17:47 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help

2009-01-17 17:03 --------- dc----w c:\arquivos de programas\Total Video Converter

2009-01-10 21:39 --------- dc----w c:\arquivos de programas\Windows Live

2009-01-09 00:11 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\WLInstaller

2008-12-30 15:21 --------- d---a-w c:\documents and settings\All Users\Dados de aplicativos\TEMP

2008-12-17 00:56 293,376 ----a-w c:\windows\system32\WISPTIS.EXE

2008-12-14 20:25 --------- dc----w c:\arquivos de programas\Opera

2008-12-13 06:37 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys

2008-12-05 01:18 --------- dc----w c:\arquivos de programas\Flock(2)

2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys

2008-10-23 12:37 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-10-23 12:37 286,720 ------w c:\windows\system32\dllcache\gdi32.dll

2008-10-16 16:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 16:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll

2008-10-16 16:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 16:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll

2008-10-16 16:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 16:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll

2008-10-16 16:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 16:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll

2008-10-16 16:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll

2008-10-16 16:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 16:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 16:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe

2008-10-16 16:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 16:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 16:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll

2008-10-16 16:06 268,648 ----a-w c:\windows\system32\mucltui.dll

2008-10-16 16:06 208,744 ----a-w c:\windows\system32\muweb.dll

2008-10-16 13:15 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe

2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe

2008-10-15 16:36 337,408 ------w c:\windows\system32\dllcache\netapi32.dll

2008-10-15 07:06 633,632 ----a-w c:\windows\system32\dllcache\iexplore.exe

2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll

2008-10-12 17:30 2,560 ----a-w c:\windows\_MSRSTRT.EXE

2008-10-03 10:04 247,326 ----a-w c:\windows\system32\strmdll.dll

.

------- Sigcheck -------

2001-02-20 14:09 8192 d36a33c21eeed5a6c1daecb7c80a1909 c:\windows\system32\CTFMON.EXE

.

((((((((((((((((((((((((((((( snapshot@2009-01-11_11.47.18,10 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-12-14 21:45:40 1,165,584 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\accicons.exe

+ 2009-01-17 17:47:17 1,165,584 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\accicons.exe

- 2008-12-14 21:45:41 20,240 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\cagicon.exe

+ 2009-01-17 17:47:20 20,240 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\cagicon.exe

- 2008-12-14 21:45:40 159,504 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\inficon.exe

+ 2009-01-17 17:47:19 159,504 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\inficon.exe

- 2008-12-14 21:45:40 184,080 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\joticon.exe

+ 2009-01-17 17:47:19 184,080 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\joticon.exe

- 2008-12-14 21:45:41 217,864 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\misc.exe

+ 2009-01-17 17:47:20 217,864 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\misc.exe

- 2008-12-14 21:45:41 18,704 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\mspicons.exe

+ 2009-01-17 17:47:21 18,704 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\mspicons.exe

- 2008-12-14 21:45:41 35,088 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\oisicon.exe

+ 2009-01-17 17:47:22 35,088 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\oisicon.exe

- 2008-12-14 21:45:41 845,584 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\outicon.exe

+ 2009-01-17 17:47:19 845,584 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\outicon.exe

- 2008-12-14 21:45:41 922,384 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\pptico.exe

+ 2009-01-17 17:47:20 922,384 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\pptico.exe

- 2008-12-14 21:45:41 272,648 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\pubs.exe

+ 2009-01-17 17:47:20 272,648 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\pubs.exe

- 2008-12-14 21:45:41 888,080 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\wordicon.exe

+ 2009-01-17 17:47:21 888,080 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\wordicon.exe

- 2008-12-14 21:45:40 1,172,240 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\xlicons.exe

+ 2009-01-17 17:47:19 1,172,240 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\xlicons.exe

- 2000-08-31 10:00:00 28,672 ----a-w c:\windows\Nircmd.exe

+ 2000-08-31 10:00:00 29,696 ----a-w c:\windows\Nircmd.exe

- 2008-12-09 23:24:37 17,593,280 ----a-w c:\windows\system32\MRT.exe

+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe

- 2008-12-13 06:37:59 3,593,216 ----a-w c:\windows\system32\mshtml.dll

+ 2008-12-13 06:38:00 3,593,216 ----a-w c:\windows\system32\mshtml.dll

- 2008-08-14 13:24:45 2,193,408 ----a-w c:\windows\system32\ntoskrnl.exe

+ 2008-08-14 13:24:46 2,193,408 ----a-w c:\windows\system32\ntoskrnl.exe

- 2008-12-21 19:12:38 2,266,608 ----a-w c:\windows\system32\Restore\rstrlog.dat

+ 2009-01-26 03:06:21 1,558,532 ----a-w c:\windows\system32\Restore\rstrlog.dat

+ 2002-03-19 19:30:00 177,152 ----a-w c:\windows\system32\tweakui.exe

- 2008-10-16 20:23:07 233,472 ----a-w c:\windows\system32\webcheck.dll

+ 2008-10-16 20:23:08 233,472 ----a-w c:\windows\system32\webcheck.dll

- 2009-01-10 20:49:16 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_574.dat

+ 2009-01-29 12:52:05 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_574.dat

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="ctfmon.exe" [2001-02-20 c:\windows\system32\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="c:\arquivos de programas\Alwil Software\Avast4\ashDisp.exe" [2008-11-26 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_2"="shell32" [X]

"nltide_3"="advpack.dll" [2008-10-16 c:\windows\system32\advpack.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMHelp"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]

2008-09-17 09:05 210168 c:\arquivos de programas\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]

"Script"=C:\prefetch.bat

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Orbit.lnk]

backup=c:\windows\pss\Orbit.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a--c--- 2008-06-12 03:38 34672 c:\arquivos de programas\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\domino]

--a------ 2006-07-04 15:16 49152 c:\windows\domino.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

--a--c--- 2007-08-24 08:00 33648 c:\arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a--c--- 2008-05-27 11:50 413696 c:\arquivos de programas\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

-ra--c--- 2008-06-14 19:28 26992424 c:\arquivos de programas\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a--c--- 2008-06-10 05:27 144784 c:\arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

--a--c--- 2008-07-18 22:12 185896 c:\arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMSnap1]

--a------ 2006-07-17 12:27 49152 c:\windows\VMSnap1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2001-02-20 14:09 8192 c:\windows\system32\CTFMON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WMPNetworkSvc"=3 (0x3)

"WLSetupSvc"=3 (0x3)

"VideoAcceleratorService"=2 (0x2)

"UPS"=3 (0x3)

"ose"=3 (0x3)

"odserv"=3 (0x3)

"NMIndexingService"=3 (0x3)

"Microsoft Office Groove Audit Service"=3 (0x3)

"MDM"=2 (0x2)

"McAfee SiteAdvisor Service"=2 (0x2)

"iPod Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\LimeWire\\LimeWire.exe"=

"c:\\Arquivos de programas\\iTunes\\iTunes.exe"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

"c:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9921:TCP"= 9921:TCP:BitCometBeta 9921 TCP

"9921:UDP"= 9921:UDP:BitCometBeta 9921 UDP

R3 2d91D;2d91D; [x]

R3 s916bus;Sony Ericsson Device 916 driver (WDM);c:\windows\system32\DRIVERS\s916bus.sys [2007-11-02 83496]

R3 s916mdfl;Sony Ericsson Device 916 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s916mdfl.sys [2007-11-02 15016]

R3 s916mdm;Sony Ericsson Device 916 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s916mdm.sys [2007-11-02 109992]

R3 s916mgmt;Sony Ericsson Device 916 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s916mgmt.sys [2007-11-02 103976]

R3 s916obex;Sony Ericsson Device 916 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s916obex.sys [2007-11-02 100008]

S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]

S1 aswSP;avast! Self Protection; [x]

S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-26 20560]

S3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]

S3 slnt;Realtek RTL8139 PCI Fast Ethernet Adapter;c:\windows\system32\DRIVERS\slnt.sys [2005-12-07 17999]

--- Other Services/Drivers In Memory ---

*Deregistered* - Aavmker4

*Deregistered* - AFD

*Deregistered* - ALG

*Deregistered* - aswFsBlk

*Deregistered* - aswMon2

*Deregistered* - aswRdr

*Deregistered* - aswSP

*Deregistered* - aswTdi

*Deregistered* - aswUpdSv

*Deregistered* - AudioSrv

*Deregistered* - audstub

*Deregistered* - avast! Antivirus

*Deregistered* - avast! Mail Scanner

*Deregistered* - avast! Web Scanner

*Deregistered* - Beep

*Deregistered* - BITS

*Deregistered* - Cdfs

*Deregistered* - CryptSvc

*Deregistered* - DcomLaunch

*Deregistered* - Dhcp

*Deregistered* - dmio

*Deregistered* - dmload

*Deregistered* - dmserver

*Deregistered* - Dnscache

*Deregistered* - ERSvc

*Deregistered* - EventSystem

*Deregistered* - Fips

*Deregistered* - FltMgr

*Deregistered* - Ftdisk

*Deregistered* - Gpc

*Deregistered* - helpsvc

*Deregistered* - HTTP

*Deregistered* - ImapiService

*Deregistered* - IpNat

*Deregistered* - IPSec

*Deregistered* - kl1

*Deregistered* - klbg

*Deregistered* - KSecDD

*Deregistered* - LanmanServer

*Deregistered* - lanmanworkstation

*Deregistered* - MountMgr

*Deregistered* - MRxSmb

*Deregistered* - Msfs

*Deregistered* - mssmbios

*Deregistered* - Mup

*Deregistered* - NDIS

*Deregistered* - NdisTapi

*Deregistered* - Ndisuio

*Deregistered* - NdisWan

*Deregistered* - NDProxy

*Deregistered* - NetBIOS

*Deregistered* - NetBT

*Deregistered* - Netman

*Deregistered* - Nla

*Deregistered* - Npfs

*Deregistered* - Ntfs

*Deregistered* - Null

*Deregistered* - PartMgr

*Deregistered* - ParVdm

*Deregistered* - PolicyAgent

*Deregistered* - PptpMiniport

*Deregistered* - PSched

*Deregistered* - RasAcd

*Deregistered* - Rasl2tp

*Deregistered* - RasMan

*Deregistered* - RasPppoe

*Deregistered* - Raspti

*Deregistered* - Rdbss

*Deregistered* - RDPCDD

*Deregistered* - rdpdr

*Deregistered* - RpcSs

*Deregistered* - seclogon

*Deregistered* - SENS

*Deregistered* - SharedAccess

*Deregistered* - ShellHWDetection

*Deregistered* - sr

*Deregistered* - srservice

*Deregistered* - Srv

*Deregistered* - SSDPSRV

*Deregistered* - stisvc

*Deregistered* - swenum

*Deregistered* - TapiSrv

*Deregistered* - Tcpip

*Deregistered* - TermDD

*Deregistered* - TermService

*Deregistered* - Themes

*Deregistered* - TrkWks

*Deregistered* - Update

*Deregistered* - VgaSave

*Deregistered* - VolSnap

*Deregistered* - W32Time

*Deregistered* - Wanarp

*Deregistered* - winmgmt

*Deregistered* - wuauserv

*Deregistered* - WudfPf

*Deregistered* - WZCSVC

.

Contents of the 'Scheduled Tasks' folder

2008-11-17 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\arquivos de programas\Apple Software Update\SoftwareUpdate.exe [2008-04-11 18:57]

2008-12-07 c:\windows\Tasks\GoogleUpdateTaskUser.job

- c:\documents and settings\Administrador\Configura []

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-DrvIcon - c:\arquivos de programas\Vista Drive Icon\DrvIcon.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.terra.com.br/

uInternet Settings,ProxyOverride = *.local

IE: &Download by Orbit

IE: &Grab video by Orbit

IE: Do&wnload selected by Orbit

IE: Down&load all by Orbit

IE: E&xport to Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: {{3EA0FF1C-D61E-43AF-B189-857FC94413BF} - c:\arquivos de programas\FreshDevices\FreshDownload\fd.exe

IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Administrador\Menu Iniciar\Programas\IMVU\Run IMVU.lnk

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

FF - ProfilePath - c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\cgu85kv7.default\

FF - prefs.js: browser.startup.homepage - www.orkut.com.br

FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\npzylomgamesplayer.dll

FF - plugin: c:\documents and settings\All Users\Dados de aplicativos\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-30 17:03:34

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]

@Denied: (Full) (Everyone)

"scansk"=hex(0):f3,b0,c0,25,20,2b,ce,30,42,e3,5f,0e,7f,35,17,1d,6c,44,f9,cd,02,

38,5d,c2,c5,70,a4,56,68,5e,b3,2f,f6,5c,ef,65,a9,3c,4b,63,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{a8a73a09-69d1-4645-a778-327f11185f79}]

@Denied: (Full) (Everyone)

"Model"=dword:000000fb

"Therad"=dword:00000017

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•6~*]

"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)

c:\arquivos de programas\Stardock\Object Desktop\WindowBlinds\wbsrv.dll

.

Completion time: 2009-01-30 17:05:48

ComboFix-quarantined-files.txt 2009-01-30 19:05:44

Pre-Run: 21 pasta(s) 30.947.831.808 bytes dispon¡veis

Post-Run: 21 pasta(s) 31,015,157,760 bytes dispon¡veis

376 --- E O F --- 2009-01-17 17:48:02

jgarcia · Fevereiro 1, 2009

Opa roberta alana,

Siga as instruções:

1. Abra o Bloco de Notas -> Copie (Control + C) e Cole (Control + V) todo o texto incluído no "Quote":

File::
c:\documents and settings\Administrador\Menu Iniciar\Programas\IMVU\Run IMVU.lnk

c:\windows\system32\ActiveSkin.ocx

c:\windows\system32\scrnrdr.exe

c:\windows\system32\pskill.exe

c:\windows\ActiveSkin.INI

c:\windows\Icon_3.ico

c:\windows\Icon_4.ico

C:\prefetch.bat

C:\UNWISE.EXE

Registry::

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_2"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]

"Script"=-

[-HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•6~*]

Driver::

R3 2d91D;2d91D

ATENÇÃO: O script acima foi elaborado especificamente para a infecção contida neste computador. Utilizá-lo em outra máquina poderá originar graves problemas ao usuário.

2. Salve o arquivo como CFScript.txt;

3. Tal como exemplificado na foto abaixo, arraste o arquivo CFScript.txt para o ComboFix.exe.

4. Ao término do processo a ferramenta irá gerar um log. Poste-o (C:\ComboFix.txt) em sua próxima resposta, juntamente com um novo log do HijackThis.

Abraços.

PS.: Em sua próxima resposta exponha o conteúdo da pasta em destaque c:\documents and settings\Administrador\Configura.

roberta alana · Fevereiro 3, 2009

ComboFix 09-02-02.04 - Administrador 2009-02-02 22:24:52.10 - NTFSx86

Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\Administrador\Desktop\CFScript.txt

FILE ::

c:\documents and settings\Administrador\Menu Iniciar\Programas\IMVU\Run IMVU.lnk

C:\prefetch.bat

C:\UNWISE.EXE

c:\windows\ActiveSkin.INI

c:\windows\Icon_3.ico

c:\windows\Icon_4.ico

c:\windows\system32\ActiveSkin.ocx

c:\windows\system32\pskill.exe

c:\windows\system32\scrnrdr.exe

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\prefetch.bat

C:\UNWISE.EXE

c:\windows\ActiveSkin.INI

c:\windows\Icon_3.ico

c:\windows\Icon_4.ico

c:\windows\system32\ActiveSkin.ocx

c:\windows\system32\pskill.exe

c:\windows\system32\scrnrdr.exe

.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-01-03 to 2009-02-03 ))))))))))))))))))))))))))))

.

2009-01-31 23:47 . 2009-02-01 00:54 <DIR> d-------- c:\windows\system32\XPSViewer

2009-01-31 23:47 . 2009-01-31 23:47 <DIR> d-------- c:\arquivos de programas\Reference Assemblies

2009-01-30 22:54 . 2009-01-30 23:06 <DIR> d-------- c:\documents and settings\Administrador\Dados de aplicativos\IObit