[Resolvido!] Problemas com CiD Pop Up !

chaponeis · Março 2, 2009

Estou com problema com esse Pop Up, que sempre aparece com o nome de CiD, Mercado Livre,entre outros...

aki vai a analise feita pelo hijackthis :

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:35:46, on 2/3/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe

C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\vsnpstd2.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\AntiVir\sched.exe

C:\Arquivos de programas\AntiVir\avguard.exe

C:\Arquivos de programas\AntiVir\avgnt.exe

C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AcroRd32.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll

O4 - HKLM\..\Run: [sMSERIAL] C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [sNPSTD2] C:\WINDOWS\vsnpstd2.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [poke mp3 cdrom meta] C:\Documents and Settings\All Users\Dados de aplicativos\Jump Poll Poke Mp3\blah site.exe

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\AntiVir\avgnt.exe" /min

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\kamsoft.exe

O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [comp jugs] C:\DOCUME~1\pessoal\DADOSD~1\LOGBLU~1\MapiTheGrid.exe

O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\AntiVir\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\AntiVir\avguard.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

--

End of file - 6493 bytes

MGuitar · Março 2, 2009

1ª Etapa

- Faça download do Lop S&D e salve-o no desktop;

● Para instalá-lo, na primeira tela escolha a opção "Je suis d'accord avec..." e clique em Suivant, depois em Quitter.

● Na sua área de trabalho irá aparecer o ícone do Lop S&D. Clique sobre ele.

● Dê um duplo clique no Lop S&D, Na janela que abrir pressione a tecla P e tecle Enter;

● Na próxima tela pressione o numero 2 e tecle Enter;

● Sua tela irá piscar. Isso é normal. Aguarde até que seja gerado um relatório.

Poste este log aqui.

2ª Etapa

- Faça o download do ComboFix e salve-o na área de trabalho;

● Desative temporariamente o seu antivirus para não detectar a ferramenta como vírus;

● Duplo clique no ícone combofix.exe para iniciar o scan;

● Leia o contrato que aparecerá e clique em Sim para continuar;

● Abrirá uma janela do Console de Recuperação, clique em Sim para instalar. Se aparecer outra janela do Console, clique em OK > Sim;

● Aguarde enquanto o ComboFix faz o scan;

● Se ocorrer algum problema durante o scan, reinicie seu computador em Modo de Segurança e repita o procedimento;

● Não clique na janela do ComboFix e procure não utilizar o teclado também, para não atrapalhar a varredura da ferramenta;

● Se quiser sair ou parar o ComboFix, tecle N;

● Quando terminar seu micro será reiniciado. Após o reinicio, a ferramenta executará novamente, aguarde;

● Será gerado um log em C:\ComboFix.txt.

Em sua próxima resposta, cole os logs do Lop S&D e ComboFix.

chaponeis · Março 4, 2009

Aki segue o relatorio do Lop :

--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 2

X86-based PC ( Uniprocessor Free : AMD Sempron Processor 3000+ )

BIOS : BIOS Date: 11/23/05 11:07:46 Ver: 08.00.09

USER : pessoal ( Administrator )

BOOT : Normal boot

Antivirus : Avira AntiVir PersonalEdition 6.38.0.225

(Activated)

A:\ (USB)

C:\ (Local Disk) - NTFS - Total:19 Go (Free:13 Go)

D:\ (Local Disk) - FAT32 - Total:54 Go (Free:46 Go)

E:\ (CD or DVD) - CDFS - Total:0 Go (Free:0 Go)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )

Option : [2] ( qua 04/03/2009|11:02 )

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ REMOVIDOS

Deletado! - C:\DOCUME~1\pessoal\CONFIG~1\Temp\bis2.exe

-

[ Arquivos/Ficheiros Hosts ] .. RESTAURADO

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

--------------------\\ Lista de pastas em DADOSD~1

[14/01/2009|04:16] C:\DOCUME~1\ADMINI~1\DADOSD~1\Identities

[16/01/2009|18:21] C:\DOCUME~1\ADMINI~1\DADOSD~1\Microsoft

[17/02/2009|20:29] C:\DOCUME~1\ALLUSE~1\DADOSD~1\Adobe

[02/03/2009|09:04] C:\DOCUME~1\ALLUSE~1\DADOSD~1\AntiVir PersonalEdition Classic

[16/01/2009|18:21] C:\DOCUME~1\ALLUSE~1\DADOSD~1\avg8

[02/03/2009|19:16] C:\DOCUME~1\ALLUSE~1\DADOSD~1\Google

[24/02/2009|10:04] C:\DOCUME~1\ALLUSE~1\DADOSD~1\Jump Poll Poke Mp3

[01/03/2009|04:38] C:\DOCUME~1\ALLUSE~1\DADOSD~1\Messenger Plus!

[20/01/2009|00:26] C:\DOCUME~1\ALLUSE~1\DADOSD~1\Microsoft

[02/03/2009|09:59] C:\DOCUME~1\ALLUSE~1\DADOSD~1\Spybot - Search & Destroy

[12/01/2009|22:49] C:\DOCUME~1\ALLUSE~1\DADOSD~1\Windows Genuine Advantage

[14/01/2009|04:11] C:\DOCUME~1\DEFAUL~1\DADOSD~1\Microsoft

[16/01/2009|18:21] C:\DOCUME~1\LOCALS~1\DADOSD~1\Microsoft

[16/01/2009|18:21] C:\DOCUME~1\NETWOR~1\DADOSD~1\Microsoft

[02/02/2009|12:54] C:\DOCUME~1\pessoal\DADOSD~1\Adobe

[13/01/2009|18:57] C:\DOCUME~1\pessoal\DADOSD~1\Ahead

[27/01/2009|19:42] C:\DOCUME~1\pessoal\DADOSD~1\Desktopicon

[02/02/2009|12:53] C:\DOCUME~1\pessoal\DADOSD~1\Google

[14/01/2009|04:39] C:\DOCUME~1\pessoal\DADOSD~1\Identities

[24/02/2009|10:04] C:\DOCUME~1\pessoal\DADOSD~1\logbluetime

[22/01/2009|14:52] C:\DOCUME~1\pessoal\DADOSD~1\Macromedia

[17/01/2009|18:39] C:\DOCUME~1\pessoal\DADOSD~1\Media Player Classic

[28/01/2009|14:44] C:\DOCUME~1\pessoal\DADOSD~1\Microsoft

[14/01/2009|05:05] C:\DOCUME~1\pessoal\DADOSD~1\Sun

[26/01/2009|00:43] C:\DOCUME~1\pessoal\DADOSD~1\WinRAR

--------------------\\ Tarefas Agendadas na pasta C:\WINDOWS\Tasks

[04/03/2009 11:00][--ah-----] C:\WINDOWS\tasks\ACEE82C591813779.job

[04/03/2009 10:23][--ah-----] C:\WINDOWS\tasks\SA.DAT

[28/10/2001 16:37][-r-h-----] C:\WINDOWS\tasks\desktop.ini

( ACEE82C591813779.job )=( c:\docume~1\pessoal\dadosd~1\logblu~1\ThisPartBash.exe )

--------------------\\ Lista de pastas em C:\Arquivos de programas

[17/02/2009|20:29] C:\Arquivos de programas\Adobe

[13/01/2009|18:56] C:\Arquivos de programas\Ahead

[23/01/2009|22:36] C:\Arquivos de programas\Analog Devices

[02/03/2009|09:04] C:\Arquivos de programas\AntiVir

[13/01/2009|19:18] C:\Arquivos de programas\Arquivos comuns

[13/01/2009|18:55] C:\Arquivos de programas\AVG

[24/02/2009|10:04] C:\Arquivos de programas\Circle Dvelopement

[14/01/2009|04:08] C:\Arquivos de programas\ComPlus Applications

[03/03/2009|00:33] C:\Arquivos de programas\eMule

[03/03/2009|22:22] C:\Arquivos de programas\Google

[23/01/2009|22:36] C:\Arquivos de programas\InstallShield Installation Information

[11/02/2009|14:33] C:\Arquivos de programas\Internet Explorer

[14/01/2009|05:05] C:\Arquivos de programas\Java

[25/01/2009|23:51] C:\Arquivos de programas\K-Lite Codec Pack

[13/01/2009|19:20] C:\Arquivos de programas\KYE

[24/02/2009|10:04] C:\Arquivos de programas\logbluetime

[24/02/2009|10:04] C:\Arquivos de programas\Messenger Plus! Live

[14/01/2009|04:12] C:\Arquivos de programas\microsoft frontpage

[14/01/2009|05:13] C:\Arquivos de programas\Microsoft Office

[12/01/2009|22:49] C:\Arquivos de programas\Microsoft.NET

[14/01/2009|05:00] C:\Arquivos de programas\Motorola

[14/01/2009|04:09] C:\Arquivos de programas\Movie Maker

[14/01/2009|04:12] C:\Arquivos de programas\msn gaming zone

[14/01/2009|04:12] C:\Arquivos de programas\netmeeting

[14/01/2009|04:09] C:\Arquivos de programas\Outlook Express

[14/01/2009|04:10] C:\Arquivos de programas\Servi‡os on-line

[02/03/2009|09:24] C:\Arquivos de programas\Spybot - Search & Destroy

[12/01/2009|22:57] C:\Arquivos de programas\Uninstall Information

[26/01/2009|00:44] C:\Arquivos de programas\VDOWNLOADER

[12/01/2009|22:51] C:\Arquivos de programas\Windows Live

[12/01/2009|22:51] C:\Arquivos de programas\Windows Media Connect 2

[12/01/2009|22:52] C:\Arquivos de programas\Windows Media Player

[14/01/2009|04:12] C:\Arquivos de programas\Windows NT

[14/01/2009|04:10] C:\Arquivos de programas\WindowsUpdate

[14/01/2009|05:05] C:\Arquivos de programas\WinRAR

[14/01/2009|04:12] C:\Arquivos de programas\xerox

--------------------\\ Lista de pastas em C:\Arquivos de programas\Arquivos comuns

[17/02/2009|20:29] C:\Arquivos de programas\Arquivos comuns\Adobe

[13/01/2009|18:56] C:\Arquivos de programas\Arquivos comuns\Ahead

[14/01/2009|05:13] C:\Arquivos de programas\Arquivos comuns\DESIGNER

[13/01/2009|19:18] C:\Arquivos de programas\Arquivos comuns\InstallShield

[14/01/2009|05:05] C:\Arquivos de programas\Arquivos comuns\Java

[12/01/2009|22:50] C:\Arquivos de programas\Arquivos comuns\Microsoft Shared

[14/01/2009|04:09] C:\Arquivos de programas\Arquivos comuns\MSSoap

[14/01/2009|02:02] C:\Arquivos de programas\Arquivos comuns\ODBC

[14/01/2009|04:09] C:\Arquivos de programas\Arquivos comuns\Servi‡os

[13/01/2009|19:19] C:\Arquivos de programas\Arquivos comuns\snpstd2

[14/01/2009|02:02] C:\Arquivos de programas\Arquivos comuns\SpeechEngines

[14/01/2009|05:10] C:\Arquivos de programas\Arquivos comuns\System

--------------------\\ Process

( 34 Processes )

... OK !

--------------------\\ Procura pelo S_Lop

Não foram encontradas pastas com o Lop!

--------------------\\ Procura por Arquivos/Ficheiros e pastas do Lop

C:\DOCUME~1\ALLUSE~1\DADOSD~1\Jump Poll Poke Mp3

C:\DOCUME~1\ALLUSE~1\DADOSD~1\Jump Poll Poke Mp3\blah site.dat

C:\DOCUME~1\ALLUSE~1\DADOSD~1\Jump Poll Poke Mp3\blah site.exe

C:\DOCUME~1\pessoal\DADOSD~1\logblu~1

C:\DOCUME~1\pessoal\DADOSD~1\logblu~1\Corndentsizelong.exe

C:\DOCUME~1\pessoal\DADOSD~1\logblu~1\MapiTheGrid.exe

C:\DOCUME~1\pessoal\DADOSD~1\logblu~1\This Part Bash.exe

C:\DOCUME~1\pessoal\DADOSD~1\logblu~1\ypofkkeh.exe

C:\Arquivos de programas\logblu~1

C:\DOCUME~1\pessoal\Cookies\pessoal@www.adserver5[1].txt

C:\DOCUME~1\pessoal\Cookies\pessoal@advertising.marketnetwork[1].txt

C:\WINDOWS\Tasks\ACEE82C591813779.job

--------------------\\ Procura no Registro

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"comp jugs"="C:\\DOCUME~1\\pessoal\\DADOSD~1\\LOGBLU~1\\MapiTheGrid.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

--------------------\\ Verificando o Arquivos/Ficheiros Hosts

Arquivos/Ficheiros Hosts LIMPO

--------------------\\ Procurando Arquivos/Ficheiros ocultos com o Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-04 11:03:24

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden files: 19

--------------------\\ Procurando por outras infecções

Não foram encontradas outras infecções.

[F:2671][D:53]-> C:\DOCUME~1\pessoal\CONFIG~1\Temp

[F:70][D:0]-> C:\DOCUME~1\pessoal\Cookies

[F:825][D:5]-> C:\DOCUME~1\pessoal\CONFIG~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - qua 04/03/2009|11:04 - Option : [2]

--------------------\\ Verificação completa em 11:04:12

chaponeis · Março 4, 2009

Aki segue o relatório de Combofix :

ComboFix 09-03-03.01 - pessoal 2009-03-04 11:09:17.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.511.345 [GMT 4.5:30]

Executando de: c:\documents and settings\pessoal\Desktop\ComboFix.exe

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\1utbfd.bat

C:\2aaxaiy.exe

C:\2fiy.bat

C:\2u.com

C:\8.bat

C:\a1agmur.cmd

C:\autorun.inf

C:\cv22.cmd

C:\i6g6x.cmd

C:\jeorels.cmd

C:\m0vnonh.bat

C:\o.exe

C:\pook.com

C:\qxty9be.cmd

C:\uvsqfgwd.cmd

c:\windows\system32\gasretyw0.dll

c:\windows\system32\kamsoft.exe

c:\windows\system32\nmdfgds0.dll

c:\windows\system32\nmdfgds1.dll

c:\windows\system32\olhrwef.exe

D:\1utbfd.bat

D:\2aaxaiy.exe

D:\2fiy.bat

D:\2u.com

D:\8.bat

D:\a1agmur.cmd

D:\Autorun.inf

D:\cv22.cmd

D:\i6g6x.cmd

D:\jeorels.cmd

D:\m0vnonh.bat

D:\pook.com

D:\qxty9be.cmd

D:\uvsqfgwd.cmd

.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-02-04 to 2009-03-04 ))))))))))))))))))))))))))))

.

2009-03-04 10:58 . 2009-03-04 11:04 <DIR> d-------- C:\Lop SD

2009-03-03 00:14 . 2004-05-14 16:53 462,848 --a------ c:\windows\system32\ltkrn13n.dll

2009-03-03 00:14 . 2004-05-14 16:53 450,560 --a------ c:\windows\system32\ltimg13n.dll

2009-03-03 00:14 . 2004-05-14 16:53 401,408 --a------ c:\windows\system32\lfcmp13n.dll

2009-03-03 00:14 . 2004-05-14 16:53 299,008 --a------ c:\windows\system32\ltdis13n.dll

2009-03-03 00:14 . 2004-01-12 02:09 206,336 --a------ c:\windows\system32\ltefx13n.dll

2009-03-03 00:14 . 2004-05-14 16:53 163,840 --a------ c:\windows\system32\ltfil13n.dll

2009-03-03 00:14 . 2003-11-04 15:10 69,632 --a------ c:\windows\system32\lfgif13n.dll

2009-03-03 00:14 . 2004-05-14 16:53 57,344 --a------ c:\windows\system32\lfbmp13n.dll

2009-03-02 10:34 . 2009-03-02 10:35 <DIR> d-------- C:\Hijackthis

2009-03-02 10:02 . 2009-03-02 10:03 <DIR> d-------- C:\Findlop

2009-03-02 09:24 . 2009-03-02 09:59 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2009-03-02 09:24 . 2009-03-02 09:24 <DIR> d-------- c:\arquivos de programas\Spybot - Search & Destroy

2009-03-02 09:04 . 2009-03-02 09:04 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\AntiVir PersonalEdition Classic

2009-03-02 09:04 . 2009-03-02 09:04 <DIR> d-------- c:\arquivos de programas\AntiVir

2009-02-27 17:52 . 2009-02-28 10:27 108,843 -r-hs---- C:\gi2ky.exe

2009-02-26 18:21 . 2009-02-26 18:21 206 --a------ c:\windows\system32\MRT.INI

2009-02-26 11:27 . 2009-02-26 11:27 103,663 -r-hs---- C:\wx8o0bt1.com

2009-02-24 15:55 . 2009-02-24 15:55 <DIR> d-------- c:\windows\Sun

2009-02-24 10:04 . 2009-02-24 10:04 <DIR> d-------- c:\documents and settings\pessoal\Dados de aplicativos\logbluetime

2009-02-24 10:04 . 2009-02-24 10:04 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Jump Poll Poke Mp3

2009-02-24 10:04 . 2009-02-24 10:04 <DIR> d-------- c:\arquivos de programas\logbluetime

2009-02-24 10:04 . 2009-02-24 10:04 <DIR> d-------- c:\arquivos de programas\Circle Dvelopement

2009-02-20 09:38 . 2009-02-20 09:37 106,970 -r-hs---- C:\w2.com

2009-02-15 12:16 . 2009-02-15 12:15 106,803 -r-hs---- C:\qphdin.com

2009-02-12 16:30 . 2009-02-14 15:02 107,898 -r-hs---- C:\ur0.com

2009-02-10 20:35 . 2009-02-11 12:08 108,067 -r-hs---- C:\opgde.exe

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-03 17:52 --------- d-----w c:\arquivos de programas\Google

2009-03-02 20:03 --------- d-----w c:\arquivos de programas\eMule

2009-03-01 00:08 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Messenger Plus!

2009-02-24 05:34 --------- d-----w c:\arquivos de programas\Messenger Plus! Live

2009-02-17 15:59 --------- d-----w c:\arquivos de programas\Arquivos comuns\Adobe

2009-02-01 05:06 109,930 --sh--r C:\a2h2.com

2009-01-30 08:36 109,127 --sh--r C:\hl80c6b1.com

2009-01-27 15:12 --------- d-----w c:\documents and settings\pessoal\Dados de aplicativos\Desktopicon

2009-01-25 20:14 --------- d-----w c:\arquivos de programas\VDOWNLOADER

2009-01-25 19:21 --------- d-----w c:\arquivos de programas\K-Lite Codec Pack

2009-01-23 18:06 --------- d--h--w c:\arquivos de programas\InstallShield Installation Information

2009-01-23 18:06 --------- d-----w c:\arquivos de programas\Analog Devices

2009-01-17 14:09 --------- d-----w c:\documents and settings\pessoal\Dados de aplicativos\Media Player Classic

2009-01-16 13:51 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\avg8

2009-01-14 00:35 --------- d-----w c:\arquivos de programas\Java

2009-01-14 00:35 --------- d-----w c:\arquivos de programas\Arquivos comuns\Java

2009-01-14 00:30 --------- d-----w c:\arquivos de programas\Motorola

2009-01-13 23:42 --------- d-----w c:\arquivos de programas\microsoft frontpage

2009-01-13 23:40 --------- d-----w c:\arquivos de programas\Serviços on-line

2009-01-13 23:39 --------- d-----w c:\arquivos de programas\Arquivos comuns\Serviços

2009-01-13 14:50 --------- d-----w c:\arquivos de programas\KYE

2009-01-13 14:49 --------- d-----w c:\arquivos de programas\Arquivos comuns\snpstd2

2009-01-13 14:48 --------- d-----w c:\arquivos de programas\Arquivos comuns\InstallShield

2009-01-13 14:27 --------- d-----w c:\documents and settings\pessoal\Dados de aplicativos\Ahead

2009-01-13 14:26 --------- d-----w c:\arquivos de programas\Arquivos comuns\Ahead

2009-01-13 14:26 --------- d-----w c:\arquivos de programas\Ahead

2009-01-13 14:25 --------- d-----w c:\arquivos de programas\AVG

2009-01-12 18:21 --------- d-----w c:\arquivos de programas\Windows Media Connect 2

2009-01-12 18:21 --------- d-----w c:\arquivos de programas\Windows Live

2009-01-12 18:19 --------- d-----w c:\arquivos de programas\Microsoft.NET

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"swg"="c:\arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-03 68856]

"comp jugs"="c:\docume~1\pessoal\DADOSD~1\LOGBLU~1\MapiTheGrid.exe" [2009-02-24 757760]

"SpybotSD TeaTimer"="c:\arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

"WMPNSCFG"="c:\arquivos de programas\Windows Media Player\WMPNSCFG.exe" [2006-11-02 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SMSERIAL"="c:\arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-29 638976]

"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"SNPSTD2"="c:\windows\vsnpstd2.exe" [2004-06-10 286720]

"SoundMAXPnP"="c:\arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 1368064]

"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"avgnt"="c:\arquivos de programas\AntiVir\avgnt.exe" [2007-04-02 327720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_3"="advpack.dll" [2008-12-21 c:\windows\system32\advpack.dll]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Arquivos de programas\\eMule\\emule.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"2529:UDP"= 2529:UDP:Windows Media Format SDK (iexplore.exe)

"2528:UDP"= 2528:UDP:Windows Media Format SDK (iexplore.exe)

"2532:UDP"= 2532:UDP:Windows Media Format SDK (iexplore.exe)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{010c7890-ebc9-11dd-a377-0015f2c686fd}]

\Shell\AutoRun\command - F:\start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{181db902-f1d9-11dd-a38d-0015f2c686fd}]

\Shell\AutoRun\command - F:\start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{181db903-f1d9-11dd-a38d-0015f2c686fd}]

\Shell\AutoRun\command - G:\2u.com

\Shell\explore\Command - G:\2u.com

\Shell\open\Command - G:\2u.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c8614186-ec8d-11dd-a37c-0015f2c686fd}]

\Shell\AutoRun\command - F:\2u.com

\Shell\explore\Command - F:\2u.com

\Shell\open\Command - F:\2u.com

.

Conteúdo da pasta 'Tarefas Agendadas'

2009-03-04 c:\windows\Tasks\ACEE82C591813779.job

- c:\docume~1\pessoal\dadosd~1\logblu~1\This Part Bash.exe [2009-02-24 10:04]

.

- - - - ORFÃOS REMOVIDOS - - - -

HKCU-Run-cdoosoft - c:\windows\system32\olhrwef.exe

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.uol.com.br/

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-04 11:11:49

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquivos de programas\AntiVir\avguard.exe

c:\arquivos de programas\AntiVir\sched.exe

c:\arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

c:\arquivos de programas\Windows Media Player\wmpnetwk.exe

c:\arquivos de programas\Internet Explorer\iexplore.exe

.

**************************************************************************

.

Tempo para conclusão: 2009-03-04 11:13:30 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-03-04 06:43:26

Pré-execução: 12 pasta(s) 14.577.242.112 bytes disponíveis

Pós execução: 12 pasta(s) 14,757,007,360 bytes disponíveis

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

202 --- E O F --- 2009-02-26 13:52:00

MGuitar · Março 5, 2009

NOTA: Adicione suas mídias removíveis: pen drive, MP3, MP4, celular, cartão de memória, ou qualquer outra que tenha, na(s) entrada(s) USB do computador.

Selecione e copie o conteúdo abaixo (começando de Folder). Cole dentro do Bloco de Notas de seu PC e salve-o no desktop como CFScript.txt

Folder::C:\Lop SDC:\Findlopc:\documents and settings\pessoal\Dados de aplicativos\logbluetimec:\documents and settings\All Users\Dados de aplicativos\Jump Poll Poke Mp3c:\arquivos de programas\logbluetimeFile::C:\gi2ky.exeC:\wx8o0bt1.comC:\w2.comC:\qphdin.comC:\ur0.comC:\opgde.exeC:\a2h2.comC:\hl80c6b1.comc:\windows\Tasks\ACEE82C591813779.jobRegistry::[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"comp jugs"=-[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000000"UpdatesDisableNotify"=dword:00000000[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{010c7890-ebc9-11dd-a377-0015f2c686fd}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{181db902-f1d9-11dd-a38d-0015f2c686fd}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{181db903-f1d9-11dd-a38d-0015f2c686fd}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c8614186-ec8d-11dd-a37c-0015f2c686fd}]

Arraste o CFScript para o ComboFix como na imagem aqui abaixo e aguarde a execução automática da ferramenta:

● Se for solicitado à você, pressione Enter para iniciar o processo de remoção;

● Não use o mouse nem o teclado quando o ComboFix estiver rodando;

● Quando terminar, será gerado um novo log que estará em C:\ComboFix.txt;

● Talvez seu computador seja reiniciado automaticamente. Caso não ocorra, reinicie-o manualmente.

Na sua próxima resposta, cole o ComboFix.txt e um novo log do HijackThis.

chaponeis · Março 6, 2009

ComboFix 09-03-03.01 - pessoal 2009-03-06 20:14:09.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.511.285 [GMT 4.5:30]

Executando de: c:\documents and settings\pessoal\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\pessoal\Desktop\CFScript.txt

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)

FILE ::

C:\a2h2.com

C:\gi2ky.exe

C:\hl80c6b1.com

C:\opgde.exe

C:\qphdin.com

C:\ur0.com

C:\w2.com

c:\windows\Tasks\ACEE82C591813779.job

C:\wx8o0bt1.com

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\a2h2.com

c:\arquivos de programas\logbluetime

c:\documents and settings\All Users\Dados de aplicativos\Jump Poll Poke Mp3

c:\documents and settings\All Users\Dados de aplicativos\Jump Poll Poke Mp3\blah site.dat

c:\documents and settings\All Users\Dados de aplicativos\Jump Poll Poke Mp3\blah site.exe

c:\documents and settings\pessoal\Dados de aplicativos\logbluetime

c:\documents and settings\pessoal\Dados de aplicativos\logbluetime\0

c:\documents and settings\pessoal\Dados de aplicativos\logbluetime\Corndentsizelong.exe

c:\documents and settings\pessoal\Dados de aplicativos\logbluetime\MapiTheGrid.exe

c:\documents and settings\pessoal\Dados de aplicativos\logbluetime\This Part Bash.exe

c:\documents and settings\pessoal\Dados de aplicativos\logbluetime\ypofkkeh.exe

C:\Findlop

c:\findlop\findlop.bat

c:\findlop\jt.exe

C:\gi2ky.exe

C:\hl80c6b1.com

C:\Lop SD

c:\lop sd\App-Prog.lsd

c:\lop sd\AuDoss.lsd

c:\lop sd\AutrInf.cmd

c:\lop sd\AWF.cmd

c:\lop sd\Back.cmd

c:\lop sd\Backup-Lop\DOCUME~1\pessoal\CONFIG~1\Temp\bis2.exe

c:\lop sd\Backup-Lop\Hosts\hosts

c:\lop sd\Backup-Lop\Reg\HKCU_Run.reg

c:\lop sd\Backup-Lop\Reg\HKLM_Run.reg

c:\lop sd\Backup-Lop\Reg\HKLM_Uninstall.reg

c:\lop sd\Boo.reg

c:\lop sd\BooFix.cmd

c:\lop sd\catchme.exe

c:\lop sd\catchme.log

c:\lop sd\Changelog Lop SD.txt

c:\lop sd\DirectFix.cmd

c:\lop sd\Discl_en.vbs

c:\lop sd\Discl_fr.vbs

c:\lop sd\Discl_ne.vbs

c:\lop sd\Discl_sp.vbs

c:\lop sd\Discl_su.vbs

c:\lop sd\Doss.lsd

c:\lop sd\DossKill.txt

c:\lop sd\exist.txt

c:\lop sd\FichKill.txt

c:\lop sd\Icon_Lop.ico

c:\lop sd\iNv.exe

c:\lop sd\Key.txt

c:\lop sd\KILL.cmd

c:\lop sd\Langues.cmd

c:\lop sd\LopR_1.txt

c:\lop sd\LopScript.cmd

c:\lop sd\LopSD.cmd

c:\lop sd\lsTasks.exe

c:\lop sd\Orph.egd

c:\lop sd\OsV.exe

c:\lop sd\paths.bat

c:\lop sd\PrefKill.txt

c:\lop sd\Proc.txt

c:\lop sd\pv.exe

c:\lop sd\RegLop.reg

c:\lop sd\Rkeys.txt

c:\lop sd\RKit.lsd

c:\lop sd\RoGUeS.lsd

c:\lop sd\RunTool.txt

c:\lop sd\S_LopV.cmd

c:\lop sd\S_LopX.cmd

c:\lop sd\sed.exe

c:\lop sd\setpath.exe

c:\lop sd\task.txt

c:\lop sd\task_.txt

c:\lop sd\Uninstal.exe

c:\lop sd\WhL.lsd

C:\opgde.exe

C:\qphdin.com

C:\ur0.com

C:\w2.com

c:\windows\Tasks\ACEE82C591813779.job

C:\wx8o0bt1.com

.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-02-06 to 2009-03-06 ))))))))))))))))))))))))))))