[Resolvido!] Análise de Log

gRoOvE · Março 5, 2009

Galera, estou postando novamente pois o problema é no meu pc agora, as vezes mando desligar ele reinicia, ou faz logoff, tem algo de errado, vou postar o log para análise. Obs: tem outro tópico aberto por mim, mas trata-se de outra máquina. Outra coisa, gostaria de limpar meus registros do windows tendo em vista a instalação e desinstalação de programas, uso o Ccleanner, ele limpa algo mesmo?

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 18:58:39, on 5/3/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\slserv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RunDll32.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

C:\Arquivos de programas\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\Arquivos de programas\MediaKey\OSD.EXE

C:\Arquivos de programas\iPod\bin\iPodService.exe

C:\Arquivos de programas\MediaKey\Versato.exe

C:\Arquivos de programas\Terra Discador - Versão Compacta\terradiscadorcomp.exe

C:\WINDOWS\system32\slrundll.exe

C:\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Arquivos de programas\Free Download Manager\iefdm2.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [Atalho para a Página de Propriedades do High Definition Audio] HDAudPropShortcut.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Arquivos de programas\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: MediaKey.lnk = C:\Arquivos de programas\MediaKey\MagicRun.exe

O8 - Extra context menu item: Baixar com o Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dllink.htm

O8 - Extra context menu item: Baixar tudo com o Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dlall.htm

O8 - Extra context menu item: Baixar vídeo com o Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: Download selecionado pelo Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dlselected.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (file missing)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O15 - Trusted Zone: http://www.rlc.com.br

O15 - Trusted Zone: http://www.rlcnet.com.br

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1231879433203

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1231879426500

O16 - DPF: {952E8EEC-9FBD-11D6-817E-444553540000} (FiskNetQuizProject.FiskNetQuiz) - http://www.rlc.com.br/fsk/quizocx/thawte/F...QuizProject.CAB

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O16 - DPF: {FD3DF356-A3D7-11D6-99AB-0000E8569CF3} (FiskNetEnigmaProject.FiskNetEnigma) - http://www.rlcnet.com.br/fsk/netenigma/tha...igmaProject.CAB

O17 - HKLM\System\CCS\Services\Tcpip\..\{CA62C6EF-519C-407B-9E87-2CA5F85F191F}: NameServer = 200.176.2.12 200.176.2.10

O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Dispositivo Celular da Apple (Apple Mobile Device) - Apple Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--

End of file - 9234 bytes

jgarcia · Março 7, 2009

Opa gRoOvE,

Baixe o ComboFix em:

ComboFix

1) Desabilite o seu anti-vírus temporariamente;

2) Dê um duplo-clique no combofix.exe e aguarde (o processo total demora cerca de 10 minutos);

3) A janela de “NEGAÇÃO DE GARANTIA DO SOFTWARE” abrir-se-á. Leia atentamente o texto contido nesta janela e clique sobre “SIM” para continuar.

PS.: Caso não concorde com os termos clique sobre “NÃO” para sair do software, cabendo lembrar que o processo de desinfecção não será possível sem a continuidade do ComboFix.

4) Outra janela irá abrir, caso a sua máquina não possua o CONSOLE DE RECUPERAÇÃO DO WINDOWS. É recomendável executar a instalação do console ante de dar continuidade ao processo, pois tal ação proporcionará a garantia de que o sistema poderá ser recuperado em caso de problemas durante a varredura.

Clique sobre “SIM” e aguarde, pois o processo de instalação do console dar-se-á automaticamente através do próprio ComboFix. Ele poderá demorar alguns minutos (dependerá da velocidade de sua conexão), portanto seja paciente.

Quando a janela “INSTALANDO O CONSOLE DE RECUPERAÇÃO” aparecer clique em “OK”, depois clique sobre “SIM” para aceitar a licença EULA.

Ao término da instalação do console de recuperação abrir-se-á uma janela avisando que “O CONSOLE DE RECUPERAÇÃO FOI INSTALADA COM SUCESSO”.

Clique sobre “SIM” para continuar a varredura.

5) O ComboFix iniciará o AUTOSCAN (aguarde).

ATENÇÃO: Não clique na janela do ComboFix, nem termine o processo abruptamente enquanto a ferramenta estiver sendo executada, pois isto implicará na desconfiguração de seu desktop (ele ficará todo branco).

Ao término do processo a máquina será reiniciada para a emissão do relatório.

6) Ao reiniciar a máquina o ComboFix irá executar o FIND3M para a criação do relatório final da varredura. O log ficará alocado em C:\ComboFix.txt.

7) Reabilite o seu anti-vírus;

8) Preciso que você cole o conteúdo do ComboFix.txt em sua próxima resposta.

OBS.1: Caso apareça uma mensagem avisando que ESTE NÃO É UM APLICATIVO WIN 32 VÁLIDO baixe o ComboFix novamente, mas salve-o em seu Desktop como KomboFix. Em último caso, tente utilizar o ComboFix em MODO SEGURO.

OBS.2: Caso haja um clique sobre a janela do ComboFix em execução, ela irá MAXIMIZAR, sobrepondo-se sobre as demais. Para minimizá-la novamente basta utilizar a combinação ALT + TAB.

Abraços.

gRoOvE · Março 8, 2009

Bom dia jgarcia, segue conforme solicitado o log do ComboFix:

ComboFix 09-03-06.02 - gRoOvE 2009-03-08 0:07:29.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.1535.1021 [GMT -3:00]

Executando de: c:\documents and settings\gRoOvE\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1229 [VPS 090305-1] *On-access scanning disabled* (Updated)

.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-02-08 to 2009-03-08 ))))))))))))))))))))))))))))

.

2009-03-07 14:01 . 2009-03-07 14:57 <DIR> d-------- c:\documents and settings\Kaio\Dados de aplicativos\TerraDiscador

2009-03-06 21:08 . 2008-08-14 10:45 2,184,576 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe

2009-03-06 21:08 . 2008-08-14 10:45 2,140,160 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe

2009-03-06 21:08 . 2008-08-14 10:45 2,061,952 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe

2009-03-06 21:08 . 2008-08-14 10:45 2,019,840 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe

2009-03-06 12:30 . 2009-03-06 12:33 1,355 --a------ c:\windows\imsins.BAK

2009-03-06 00:05 . 2009-03-08 00:05 <DIR> d-------- c:\documents and settings\gRoOvE\Dados de aplicativos\TerraDiscador

2009-03-05 22:36 . 2009-03-05 22:36 <DIR> d-------- c:\windows\Modio

2009-03-05 18:46 . 2007-03-27 02:35 1,308,216 --a------ C:\HiJackThis_v2.exe

2009-03-04 09:37 . 2009-03-04 09:38 <DIR> d-------- c:\arquivos de programas\Spybot - Search & Destroy

2009-03-04 09:31 . 2009-03-04 09:50 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2009-03-01 00:51 . 2008-10-24 08:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

2009-02-28 22:00 . 2008-06-14 14:59 272,384 --------- c:\windows\system32\drivers\bthport.sys

2009-02-28 22:00 . 2008-06-14 14:59 272,384 -----c--- c:\windows\system32\dllcache\bthport.sys

2009-02-28 16:57 . 2009-02-28 16:58 <DIR> d-------- c:\documents and settings\Kaio\Dados de aplicativos\Hamachi

2009-02-28 16:57 . 2009-02-28 16:57 10,578 --a------ c:\windows\system32\drivers\hamachi.sys

2009-02-28 16:09 . 2004-08-13 10:56 5,810 --a------ c:\windows\system32\drivers\ASACPI.sys

2009-02-28 15:38 . 2008-12-20 19:46 6,066,688 -----c--- c:\windows\system32\dllcache\ieframe.dll

2009-02-28 15:38 . 2007-04-17 06:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat

2009-02-28 15:38 . 2007-03-08 02:12 1,024,000 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui

2009-02-28 15:38 . 2008-12-20 19:46 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll

2009-02-28 15:38 . 2008-12-20 19:46 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll

2009-02-28 15:38 . 2008-12-20 19:46 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll

2009-02-28 15:38 . 2008-12-20 19:46 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll

2009-02-28 15:38 . 2008-12-20 19:46 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll

2009-02-28 15:38 . 2008-12-19 06:10 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe

2009-02-28 15:07 . 2009-03-07 16:45 <DIR> d-------- c:\windows\system32\CatRoot_bak

2009-02-21 00:33 . 2009-02-03 21:05 593,920 --------- c:\windows\system32\ati2sgag.exe

2009-02-21 00:32 . 2009-02-21 00:32 <DIR> d-------- C:\ATI

2009-02-19 17:06 . 2009-02-19 17:06 <DIR> d-------- c:\documents and settings\Kaio\Dados de aplicativos\DAEMON Tools Pro

2009-02-19 17:06 . 2009-02-19 17:10 <DIR> d-------- c:\documents and settings\Kaio\Dados de aplicativos\DAEMON Tools Lite

2009-02-19 17:06 . 2009-02-19 17:06 <DIR> d-------- c:\documents and settings\Kaio\Dados de aplicativos\DAEMON Tools

2009-02-19 17:05 . 2009-02-19 17:05 <DIR> d-------- c:\documents and settings\Kaio\.netbeans

2009-02-19 11:10 . 2009-02-19 11:10 <DIR> d-------- c:\documents and settings\gRoOvE\.netbeans-registration

2009-02-19 11:10 . 2009-02-19 11:12 <DIR> d-------- c:\documents and settings\gRoOvE\.netbeans

2009-02-19 11:05 . 2009-03-07 20:58 <DIR> d-------- c:\documents and settings\gRoOvE\.nbi

2009-02-18 19:34 . 2009-02-18 19:34 <DIR> d-------- c:\windows\Installing Adobe Acrobat Reader

2009-02-18 19:26 . 2009-02-18 19:26 <DIR> d-------- c:\documents and settings\gRoOvE\Dados de aplicativos\DAEMON Tools Pro

2009-02-18 19:26 . 2009-02-18 19:26 <DIR> d-------- c:\documents and settings\gRoOvE\Dados de aplicativos\DAEMON Tools

2009-02-18 19:25 . 2009-02-18 19:25 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\DAEMON Tools Lite

2009-02-18 19:25 . 2009-02-18 19:25 <DIR> d-------- c:\arquivos de programas\DAEMON Tools Lite

2009-02-18 19:16 . 2009-02-18 19:28 <DIR> d-------- c:\documents and settings\gRoOvE\Dados de aplicativos\DAEMON Tools Lite

2009-02-18 19:16 . 2009-02-18 19:16 717,296 --a------ c:\windows\system32\drivers\sptd.sys

2009-02-18 19:13 . 2009-03-06 19:55 <DIR> d-------- c:\arquivos de programas\Java

2009-02-18 19:13 . 2009-02-18 19:13 410,984 --a------ c:\windows\system32\deploytk.dll

2009-02-18 19:13 . 2009-02-18 19:13 73,728 --a------ c:\windows\system32\javacpl.cpl

2009-02-14 18:56 . 2009-02-20 15:12 39 --a------ c:\windows\GunzLauncher.INI

2009-02-14 18:53 . 2009-02-14 18:53 <DIR> d-------- c:\arquivos de programas\LevelUpGames

2009-02-14 15:44 . 2009-02-14 19:51 <DIR> d-------- c:\documents and settings\gRoOvE\Dados de aplicativos\Apple Computer

2009-02-14 15:44 . 2009-02-14 15:44 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2009-02-14 15:44 . 2009-02-14 15:44 <DIR> d-------- c:\arquivos de programas\iTunes

2009-02-14 15:44 . 2009-02-14 15:44 <DIR> d-------- c:\arquivos de programas\iPod

2009-02-14 15:44 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll

2009-02-14 15:44 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys

2009-02-14 15:43 . 2009-02-14 15:44 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Apple Computer

2009-02-14 15:43 . 2009-02-14 15:43 <DIR> d-------- c:\arquivos de programas\QuickTime

2009-02-14 15:43 . 2009-02-15 20:19 <DIR> d-------- c:\arquivos de programas\Bonjour

2009-02-14 15:43 . 2009-02-14 15:43 <DIR> d-------- c:\arquivos de programas\Apple Software Update

2009-02-14 15:42 . 2009-02-14 15:42 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Apple

2009-02-14 15:42 . 2009-02-14 15:44 <DIR> d-------- c:\arquivos de programas\Arquivos comuns\Apple

2009-02-12 23:37 . 2009-03-03 20:41 <DIR> d-------- c:\arquivos de programas\DreaMule

2009-02-11 18:48 . 2009-02-13 10:02 <DIR> d-------- c:\documents and settings\Kaio\Dados de aplicativos\Free Download Manager

2009-02-08 13:00 . 2005-10-16 08:00 12,928 --a------ c:\windows\system32\drivers\filedisk.sys

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-08 01:58 --------- d-----w c:\documents and settings\gRoOvE\Dados de aplicativos\Free Download Manager

2009-02-28 22:46 155,995 ----a-w c:\windows\java\Packages\OZNRP7VT.ZIP

2009-02-20 18:03 --------- d-----w c:\arquivos de programas\snes9x-win32

2009-02-16 00:04 --------- d-----w c:\arquivos de programas\Arquivos comuns\InstallShield

2009-02-04 07:27 3,488,768 ----a-w c:\windows\system32\drivers\ati2mtag.sys

2009-02-04 05:57 11,702,272 ----a-w c:\windows\system32\atioglxx.dll

2009-02-04 05:03 290,816 ----a-w c:\windows\system32\atiok3x2.dll

2009-02-04 04:56 442,368 ----a-w c:\windows\system32\ATIDEMGX.dll

2009-02-04 04:55 324,096 ----a-w c:\windows\system32\ati2dvag.dll

2009-02-04 04:44 196,608 ----a-w c:\windows\system32\atipdlxx.dll

2009-02-04 04:44 155,648 ----a-w c:\windows\system32\Oemdspif.dll

2009-02-04 04:43 43,520 ----a-w c:\windows\system32\ati2edxx.dll

2009-02-04 04:43 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe

2009-02-04 04:43 155,648 ----a-w c:\windows\system32\ati2evxx.dll

2009-02-04 04:41 602,112 ----a-w c:\windows\system32\ati2evxx.exe

2009-02-04 04:40 53,248 ----a-w c:\windows\system32\ATIDDC.DLL

2009-02-04 04:30 3,884,768 ----a-w c:\windows\system32\ati3duag.dll

2009-02-04 04:14 2,645,504 ----a-w c:\windows\system32\ativvaxx.dll

2009-02-04 03:58 49,664 ----a-w c:\windows\system32\amdpcom32.dll

2009-02-04 03:54 471,040 ----a-w c:\windows\system32\atikvmag.dll

2009-02-04 03:53 122,880 ----a-w c:\windows\system32\atiadlxx.dll

2009-02-04 03:52 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll

2009-02-04 03:52 17,408 ----a-w c:\windows\system32\atitvo32.dll

2009-02-04 03:46 626,688 ----a-w c:\windows\system32\ati2cqag.dll

2009-02-04 03:44 307,200 ----a-w c:\windows\system32\atiiiexx.dll

2009-02-04 02:43 45,056 ----a-w c:\windows\system32\aticalrt.dll

2009-02-04 02:42 45,056 ----a-w c:\windows\system32\aticalcl.dll

2009-02-04 02:40 3,244,032 ----a-w c:\windows\system32\aticaldd.dll

2009-02-03 21:35 98,304 ----a-w c:\windows\system32\CmdLineExt.dll

2009-01-26 00:22 --------- d-----w c:\documents and settings\gRoOvE\Dados de aplicativos\LimeWire

2009-01-25 16:42 --------- d-----w c:\arquivos de programas\Lavalys

2009-01-13 19:13 --------- d-----w c:\arquivos de programas\ATI Technologies

2009-01-08 16:33 --------- d-----w c:\arquivos de programas\Warcraft III

2009-01-02 16:40 2,829 ----a-w c:\windows\War3Unin.pif

2009-01-02 16:40 139,264 ----a-w c:\windows\War3Unin.exe

2008-12-20 22:47 826,368 ----a-w c:\windows\system32\wininet.dll

2008-12-14 01:36 43,520 ----a-w c:\windows\system32\CmdLineExt03.dll

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"DAEMON Tools Lite"="c:\arquivos de programas\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

"SpybotSD TeaTimer"="c:\arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

"AdobeUpdater"="c:\arquivos de programas\Arquivos comuns\Adobe\Updater5\AdobeUpdater.exe" [2008-10-13 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="c:\arquiv~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"TkBellExe"="c:\arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" [2008-09-20 180269]

"QuickTime Task"="c:\arquivos de programas\QuickTime\QTTask.exe" [2009-01-05 413696]

"iTunesHelper"="c:\arquivos de programas\iTunes\iTunesHelper.exe" [2009-01-06 290088]

"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre6\bin\jusched.exe" [2009-02-18 148888]

"Atalho para a Página de Propriedades do High Definition Audio"="HDAudPropShortcut.exe" [2004-03-17 c:\windows\system32\Hdaudpropshortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

Adobe Reader Speed Launch.lnk - c:\arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]

Adobe Reader Synchronizer.lnk - c:\arquivos de programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]

MediaKey.lnk - c:\arquivos de programas\MediaKey\MagicRun.exe [2008-09-06 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Warcraft III\\Warcraft III.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Arquivos de programas\\DreaMule\\emule.exe"=

"c:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=

"c:\\Arquivos de programas\\iTunes\\iTunes.exe"=

"c:\\Arquivos de programas\\LevelUpGames\\TheDuel\\theduel.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-09-13 78416]

R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [2008-09-06 11889]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-09-13 20560]

R2 HWiNFO32;HWiNFO32 Kernel Driver;c:\arquivos de programas\HWiNFO32\HWiNFO32.SYS [2009-01-06 8192]

R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [2007-03-14 1287296]

S3 XDva223;XDva223;\??\c:\windows\system32\XDva223.sys --> c:\windows\system32\XDva223.sys [?]

.

------- Scan Suplementar -------

.

uStart Page = about:blank

IE: Baixar com o Free Download Manager - file://c:\arquivos de programas\Free Download Manager\dllink.htm

IE: Baixar tudo com o Free Download Manager - file://c:\arquivos de programas\Free Download Manager\dlall.htm

IE: Baixar vídeo com o Free Download Manager - file://c:\arquivos de programas\Free Download Manager\dlfvideo.htm

IE: Download selecionado pelo Free Download Manager - file://c:\arquivos de programas\Free Download Manager\dlselected.htm

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: rlc.com.br\www

Trusted Zone: rlcnet.com.br\www

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

DPF: {952E8EEC-9FBD-11D6-817E-444553540000} - hxxp://www.rlc.com.br/fsk/quizocx/thawte/FiskNetQuizProject.CAB

DPF: {FD3DF356-A3D7-11D6-99AB-0000E8569CF3} - hxxp://www.rlcnet.com.br/fsk/netenigma/thawte/FiskNetEnigmaProject.CAB

FF - ProfilePath - c:\documents and settings\gRoOvE\Dados de aplicativos\Mozilla\Firefox\Profiles\hc6n8ccs.default\

FF - component: c:\arquivos de programas\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll

FF - component: c:\documents and settings\gRoOvE\Dados de aplicativos\Mozilla\Firefox\Profiles\hc6n8ccs.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E886C}\components\GbMzhBb.dll

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-08 00:08:14

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1957994488-583907252-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:57,70,5c,b1,27,54,02,01,67,f2,d2,b7,61,5c,5b,11,21,ff,ed,42,9b,92,de,

d8,b7,46,d2,5f,66,8b,b8,64,a6,16,77,49,4a,e6,76,3b,96,0a,3e,f4,10,ae,d1,3c,\

"??"=hex:d1,2c,37,b7,82,ac,3b,57,d7,49,cf,9a,53,4b,a9,ad

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(568)

c:\windows\system32\Ati2evxx.dll

.

Tempo para conclusão: 2009-03-08 0:09:27

ComboFix-quarantined-files.txt 2009-03-08 03:09:25

Pré-execução: 2.009.808.896 bytes disponíveis

Pós execução: 1,998,774,272 bytes disponíveis

201 --- E O F --- 2009-03-07 02:55:29

Mário Monteiro · Março 15, 2009

Nao flood o forum

Siga as regras

Se passaram 5 dias envie uma MP ao anlista responsavel

Ups sao proibidos

jgarcia · Março 15, 2009

Opa gRoOvE,

Siga as instruções:

1. Abra o Bloco de Notas -> Copie (Control + C) e Cole (Control + V) todo o texto incluído no "Quote":

RegNull::
[HKEY_USERS\S-1-5-21-1957994488-583907252-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

Registry::

[-HKEY_USERS\S-1-5-21-1957994488-583907252-725345543-1003\Software\SecuROM]

ATENÇÃO: O script acima foi elaborado especificamente para a infecção contida neste computador. Utilizá-lo em outra máquina poderá originar graves problemas ao usuário.

2. Salve o arquivo como CFScript.txt;

3. Tal como exemplificado na foto abaixo, arraste o arquivo CFScript.txt para o ComboFix.exe.

4. Ao término do processo a ferramenta irá gerar um log. Poste-o (C:\ComboFix.txt) em sua próxima resposta, juntamente com um novo log do HijackThis.

Abraços.

gRoOvE · Março 15, 2009

Segue o log do ComboFix:

ComboFix 09-03-06.02 - gRoOvE 2009-03-15 14:32:59.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.1535.1020 [GMT -3:00]

Executando de: d:\install\Anti Spyware\ComboFix.exe

Comandos utilizados :: c:\documents and settings\gRoOvE\Desktop\CFScript.txt

AV: avast! antivirus 4.8.1229 [VPS 090312-0] *On-access scanning disabled* (Updated)

* Criado um novo ponto de restauro

.

- MODO DE FUNCIONALIDADE REDUZIDA -

.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-02-15 to 2009-03-15 ))))))))))))))))))))))))))))

.

2009-03-13 15:30 . 2009-03-14 20:12 <DIR> d-------- c:\documents and settings\Kaio\Dados de aplicativos\TerraDiscador

2009-03-12 01:02 . 2009-03-12 01:02 1,374 --a------ c:\windows\imsins.BAK

2009-03-09 18:20 . 2009-03-09 18:21 <DIR> d-------- c:\arquivos de programas\K-Lite Codec Pack

2009-03-08 20:08 . 2009-03-15 12:35 <DIR> d-------- c:\arquivos de programas\eclipse

2009-03-08 19:39 . 2009-03-08 19:40 <DIR> d-------- c:\documents and settings\gRoOvE\bluej

2009-03-08 19:39 . 2009-03-08 19:39 <DIR> d-------- c:\arquivos de programas\Sun

2009-03-08 01:38 . 2009-03-08 01:38 <DIR> d-------- C:\BlueJ

2009-03-06 21:08 . 2008-08-14 10:45 2,184,576 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe

2009-03-06 21:08 . 2008-08-14 10:45 2,140,160 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe

2009-03-06 21:08 . 2008-08-14 10:45 2,061,952 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe

2009-03-06 21:08 . 2008-08-14 10:45 2,019,840 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe

2009-03-06 00:05 . 2009-03-15 11:34 <DIR> d-------- c:\documents and settings\gRoOvE\Dados de aplicativos\TerraDiscador