[Arquivado] PC lento

[Jonas Moreira 0]

Queria que alguem analisasse meu pc, para ver se tem algum malware ou keylogger.

Pois ja fui hackiado por conta de keylogger, mas passei o scan do Spybot e nao tem acontecido mais ultimamente.

 

Aí vai o log do Kaspersky Online Scanner e em seguida o log do HijackThis

 

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0 REPORT

Thursday, April 30, 2009

Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Program database last update: Wednesday, April 29, 2009 22:15:23

Records in database: 2101635

--------------------------------------------------------------------------------

 

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

 

Scan area - My Computer:

A:\

C:\

D:\

F:\

 

Scan statistics:

Files scanned: 66691

Threat name: 0

Infected objects: 0

Suspicious objects: 0

Duration of the scan: 03:57:12

 

No malware has been detected. The scan area is clean.

 

The selected area was scanned.

 

--------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:13:16, on 30/4/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\ESET\ESET Smart Security\ekrn.exe

C:\Arquivos de programas\Windows Live\Family Safety\fsssvc.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\pctspk.exe

C:\Arquivos de programas\ESET\ESET Smart Security\egui.exe

C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\VM303_STI.EXE

C:\Arquivos de programas\Windows Live\Family Safety\fsui.exe

C:\Documents and Settings\Usuário\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AcroRd32.exe

C:\Documents and Settings\Usuário\Desktop\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Windows Live Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Arquivos de programas\Windows Live\Family Safety\fssbho.dll

O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Arquivos de programas\Windows Live\Messenger\wlchtc.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Arquivos de programas\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: (no name) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Arquivos de programas\Google\Google Toolbar\GoogleToolbar.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [egui] "C:\Arquivos de programas\ESET\ESET Smart Security\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [bigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)

O4 - HKLM\..\Run: [fssui] "C:\Arquivos de programas\Windows Live\Family Safety\fsui.exe" -autorun

O4 - HKCU\..\Run: [ares] "C:\Arquivos de programas\Ares\Ares.exe" -h

O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [TrueTransparency] "C:\TrueTransparency\TrueTransparency.exe"

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Usuário\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Configurações locais\Temp" (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Configurações locais\Temp" (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Arquivos de programas\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Arquivos de programas\ESET\ESET Smart Security\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Arquivos de programas\ESET\ESET Smart Security\ekrn.exe

O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

 

--

End of file - 9898 bytes

[DigRam 144]

Bom Dia! Jonas Moreira

 

<!> Para detectar Keyloggers,podemos ver pelo log do avz.

<><><><><><><><><><><>

<@> Baixe: < avz4en.zip > ou < avz_antiviral_toolkit >

<@> Salve-o em Arquivos de programas,e descompacte-o aí mesmo!

<@> Abra a pasta avz4 e execute o aplicativo,com um duplo-clique. <-- Ícone escudo e espada!

<@> Conecte-se à Internet,e atualize o Toolkit. --> "File" --> "Database Update" --> <--

<@> Terminando,não faça ainda nenhuma verificação.

<@> Na aba "Search range",marque todas as caixinhas.

<@> Em "File types",marque o botão "All files".

<@> Em "Actions",marque: "Perform healing"

<@> Nos campos,abaixo de "Perform healing",escolha "Report only",para todos os ítens.

<@> Abaixo de "RiskWare",marque a caixa "Copy suspicious files to Quarantine". <-- Somente esta caixa!

<@> No menu "Search parameters",maximize o ajuste "Heuristic analyses".

<@> Marque a caixa "Extended analysis". <-- Somente esta caixa!

<@> Por default,não desmarque as que estão assinaladas!

<@> Feche os programas que estejam abertos,e rode a ferramenta! <-- Clique em Start.

<@> Terminando o scan,clique no ícone "Save log",para dispormos do relatório. ( avz_log )

<@> Clique,também,no ícone dos "óculos".

<@> Clique em "Save as CSV".

<@> Salve,este relatório,no desktop! <-- Formato de texto. ( *.txt )

<@> Nomeie-o como: view_log

<@> Copie e poste: avz_log.txt + view_log.txt,na sua resposta.

 

Abraços!

[Jonas Moreira 0]

Opa, aí vão os logs:

---------------

avz_log:

---------------

AVZ Antiviral Toolkit log; AVZ version is 4.30

Scanning started at 2/5/2009 01:45:16

Database loaded: signatures - 221453, NN profile(s) - 2, microprograms of healing - 56, signature database released 01.05.2009 22:48

Heuristic microprograms loaded: 372

SPV microprograms loaded: 9

Digital signatures of system files loaded: 110259

Heuristic analyzer mode: Maximum heuristics level

Healing mode: enabled

Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights

System Restore: enabled

1. Searching for Rootkits and programs intercepting API functions

1.1 Searching for user-mode API hooks

Analysis: kernel32.dll, export table found in section .text

Analysis: ntdll.dll, export table found in section .text

Analysis: user32.dll, export table found in section .text

Analysis: advapi32.dll, export table found in section .text

Analysis: ws2_32.dll, export table found in section .text

Analysis: wininet.dll, export table found in section .text

Analysis: rasapi32.dll, export table found in section .text

Analysis: urlmon.dll, export table found in section .text

Analysis: netapi32.dll, export table found in section .text

1.2 Searching for kernel-mode API hooks

Driver loaded successfully

SDT found (RVA=083220)

Kernel ntoskrnl.exe found in memory at address 804D7000

SDT = 8055A220

KiST = 804E26A8 (284)

Functions checked: 284, intercepted: 0, restored: 0

1.3 Checking IDT and SYSENTER

Analysis for CPU 1

Checking IDT and SYSENTER - complete

1.4 Searching for masking processes and drivers

Checking not performed: extended monitoring driver (AVZPM) is not installed

Driver loaded successfully

1.5 Checking of IRP handlers

Checking - complete

2. Scanning memory

Number of processes found: 34

Analyzer: process under analysis is 1400 C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

[ES]:Contains network functionality

[ES]:Application has no visible windows

[ES]:Loads RASAPI DLL - may use dialing ?

Analyzer: process under analysis is 2604 C:\WINDOWS\system32\pctspk.exe

[ES]:Contains network functionality

[ES]:Application has no visible windows

[ES]:Located in system folder

[ES]:Registered in autoruns !!

[ES]:Loads RASAPI DLL - may use dialing ?

Analyzer: process under analysis is 2632 C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

[ES]:Application has no visible windows

[ES]:Registered in autoruns !!

Analyzer: process under analysis is 2760 C:\WINDOWS\VM303_STI.EXE

[ES]:Application has no visible windows

[ES]:Located in system folder

[ES]:Registered in autoruns !!

Analyzer: process under analysis is 2768 C:\Arquivos de programas\Windows Live\Family Safety\fsui.exe

[ES]:Contains network functionality

[ES]:Application has no visible windows

[ES]:Registered in autoruns !!

Number of modules loaded: 336

Scanning memory - complete

3. Scanning disks

C:\Arquivos de programas\Arquivos comuns\Windows Live\.cache\1528308e1c9c262\fssclient_x86.msi/{MS-OLE}/\8 >>>>> Trojan.Kyjak

C:\Arquivos de programas\Arquivos comuns\Windows Live\.cache\19553e1c1c99dc4\fssclient_x86.msi/{MS-OLE}/\8 >>>>> Trojan.Kyjak

Direct reading C:\Documents and Settings\All Users\Dados de aplicativos\ESET\ESET Smart Security\Charon\CACHE.NDB

Direct reading C:\Documents and Settings\All Users\Dados de aplicativos\ESET\ESET Smart Security\Logs\epfwlog.dat

Direct reading C:\Documents and Settings\All Users\Dados de aplicativos\ESET\ESET Smart Security\Logs\virlog.dat

Direct reading C:\Documents and Settings\All Users\Dados de aplicativos\ESET\ESET Smart Security\Logs\warnlog.dat

Direct reading C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr0.dat

Direct reading C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr1.dat

Direct reading C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat

Direct reading C:\Documents and Settings\LocalService\Configurações locais\Histórico\History.IE5\index.dat

Direct reading C:\Documents and Settings\LocalService\Configurações locais\Temporary Internet Files\Content.IE5\index.dat

Direct reading C:\Documents and Settings\LocalService\Cookies\index.dat

Direct reading C:\Documents and Settings\LocalService\NTUSER.DAT

Direct reading C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat

Direct reading C:\Documents and Settings\NetworkService\NTUSER.DAT

Direct reading C:\Documents and Settings\Usuário\Configurações locais\Dados de aplicativos\Microsoft\Media Player\CurrentDatabase_360.wmdb

Direct reading C:\Documents and Settings\Usuário\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat

Direct reading C:\Documents and Settings\Usuário\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\m0whl1j2.default\Cache\_CACHE_001_

Direct reading C:\Documents and Settings\Usuário\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\m0whl1j2.default\Cache\_CACHE_002_

Direct reading C:\Documents and Settings\Usuário\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\m0whl1j2.default\Cache\_CACHE_003_

Direct reading C:\Documents and Settings\Usuário\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\m0whl1j2.default\Cache\_CACHE_MAP_

Direct reading C:\Documents and Settings\Usuário\Configurações locais\Histórico\History.IE5\index.dat

Direct reading C:\Documents and Settings\Usuário\Configurações locais\Histórico\History.IE5\MSHist012009050220090503\index.dat

C:\Documents and Settings\Usuário\Configurações locais\Temp\0421064400000a5c6enyiexr4w\fssclient_x86.msi/{MS-OLE}/\8 >>>>> Trojan.Kyjak

C:\Documents and Settings\Usuário\Configurações locais\Temp\0425142000000a1cm51ngef7f5\fssclient_x86.msi/{MS-OLE}/\8 >>>>> Trojan.Kyjak

Direct reading C:\Documents and Settings\Usuário\Configurações locais\Temp\etilqs_pDcqDbRL24Lg7HwZvJji

Direct reading C:\Documents and Settings\Usuário\Configurações locais\Temporary Internet Files\Content.IE5\index.dat

Direct reading C:\Documents and Settings\Usuário\Cookies\index.dat

Direct reading C:\Documents and Settings\Usuário\Dados de aplicativos\Mozilla\Firefox\Profiles\m0whl1j2.default\cert8.db

Direct reading C:\Documents and Settings\Usuário\Dados de aplicativos\Mozilla\Firefox\Profiles\m0whl1j2.default\content-prefs.sqlite

Direct reading C:\Documents and Settings\Usuário\Dados de aplicativos\Mozilla\Firefox\Profiles\m0whl1j2.default\cookies.sqlite

Direct reading C:\Documents and Settings\Usuário\Dados de aplicativos\Mozilla\Firefox\Profiles\m0whl1j2.default\downloads.sqlite

Direct reading C:\Documents and Settings\Usuário\Dados de aplicativos\Mozilla\Firefox\Profiles\m0whl1j2.default\formhistory.sqlite

Direct reading C:\Documents and Settings\Usuário\Dados de aplicativos\Mozilla\Firefox\Profiles\m0whl1j2.default\key3.db

Direct reading C:\Documents and Settings\Usuário\Dados de aplicativos\Mozilla\Firefox\Profiles\m0whl1j2.default\permissions.sqlite

Direct reading C:\Documents and Settings\Usuário\Dados de aplicativos\Mozilla\Firefox\Profiles\m0whl1j2.default\places.sqlite

Direct reading C:\Documents and Settings\Usuário\Dados de aplicativos\Mozilla\Firefox\Profiles\m0whl1j2.default\places.sqlite-journal

C:\Documents and Settings\Usuário\Meus documentos\Meus arquivos recebidos\jonas95851441922253\Histórico\darlan.madden_stronda240960986.xml >>> suspicion for Trojan-Downloader.Win32.Small.alb ( 09AB59DD 093F1A28 0017B7F6 00000000 9219)

File quarantined succesfully (C:\Documents and Settings\Usuário\Meus documentos\Meus arquivos recebidos\jonas95851441922253\Histórico\darlan.madden_stronda240960986.xml)

Direct reading C:\Documents and Settings\Usuário\ntuser.dat

Direct reading C:\Documents and Settings\Usuário\ntuser.dat.LOG

C:\System Volume Information\_restore{016C3B26-4755-48D3-BB31-008A539A8BA7}\RP152\A0133649.msi/{MS-OLE}/\7 >>>>> Trojan.Kyjak

C:\System Volume Information\_restore{016C3B26-4755-48D3-BB31-008A539A8BA7}\RP160\A0140968.msi/{MS-OLE}/\7 >>>>> Trojan.Kyjak

C:\System Volume Information\_restore{016C3B26-4755-48D3-BB31-008A539A8BA7}\RP160\A0141170.msi/{MS-OLE}/\8 >>>>> Trojan.Kyjak

C:\System Volume Information\_restore{016C3B26-4755-48D3-BB31-008A539A8BA7}\RP160\A0142220.msi/{MS-OLE}/\8 >>>>> Trojan.Kyjak

C:\System Volume Information\_restore{016C3B26-4755-48D3-BB31-008A539A8BA7}\RP196\A0177895.msi/{MS-OLE}/\7 >>>>> Trojan.Kyjak

C:\System Volume Information\_restore{016C3B26-4755-48D3-BB31-008A539A8BA7}\RP198\A0181873.rbf/{MS-OLE}/\7 >>>>> Trojan.Kyjak

C:\System Volume Information\_restore{016C3B26-4755-48D3-BB31-008A539A8BA7}\RP199\A0182308.msi/{MS-OLE}/\7 >>>>> Trojan.Kyjak

Direct reading C:\System Volume Information\_restore{016C3B26-4755-48D3-BB31-008A539A8BA7}\RP206\change.log

C:\WINDOWS\$NtServicePackUninstall$\format.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)

File quarantined succesfully (C:\WINDOWS\$NtServicePackUninstall$\format.com)

C:\WINDOWS\$NtServicePackUninstall$\more.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)

File quarantined succesfully (C:\WINDOWS\$NtServicePackUninstall$\more.com)

C:\WINDOWS\$NtServicePackUninstall$\reg01409 >>> suspicion for Trojan.Win32.RamEater.10 ( 00025876 00000000 00159777 00128BDF 28672)

File quarantined succesfully (C:\WINDOWS\$NtServicePackUninstall$\reg01409)

C:\WINDOWS\$NtServicePackUninstall$\tree.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)

File quarantined succesfully (C:\WINDOWS\$NtServicePackUninstall$\tree.com)

C:\WINDOWS\Installer\207d17.msi/{MS-OLE}/\7 >>>>> Trojan.Kyjak

Direct reading C:\WINDOWS\SchedLgU.Txt

Direct reading C:\WINDOWS\SoftwareDistribution\ReportingEvents.log

Direct reading C:\WINDOWS\system32\CatRoot2\edb.log

Direct reading C:\WINDOWS\system32\CatRoot2\tmp.edb

Direct reading C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb

Direct reading C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb

Direct reading C:\WINDOWS\system32\config\AppEvent.Evt

Direct reading C:\WINDOWS\system32\config\default

Direct reading C:\WINDOWS\system32\config\Internet.evt

Direct reading C:\WINDOWS\system32\config\SAM

Direct reading C:\WINDOWS\system32\config\SecEvent.Evt

Direct reading C:\WINDOWS\system32\config\SECURITY

Direct reading C:\WINDOWS\system32\config\SysEvent.Evt

Direct reading C:\WINDOWS\system32\config\system

Direct reading C:\WINDOWS\system32\config\systemprofile\Configurações locais\Temp\Perflib_Perfdata_2f4.dat

Direct reading C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR

Direct reading C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP

Direct reading C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP

Direct reading C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA

Direct reading C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP

Direct reading C:\WINDOWS\WindowsUpdate.log

4. Checking Winsock Layered Service Provider (SPI/LSP)

LSP settings checked. No errors detected

5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)

6. Searching for opened TCP/UDP ports used by malicious programs

Checking disabled by user

7. Heuristic system check

Checking - complete

8. Searching for vulnerabilities

>> Services: potentially dangerous service allowed: RemoteRegistry (Registro remoto)

>> Services: potentially dangerous service allowed: TermService (Serviços de terminal)

>> Services: potentially dangerous service allowed: SSDPSRV (Serviço de descoberta SSDP)

>> Services: potentially dangerous service allowed: Schedule (Agendador de tarefas)

>> Services: potentially dangerous service allowed: mnmsrvc (Compartilhamento remoto da área de trabalho do NetMeeting)

>> Services: potentially dangerous service allowed: RDSessMgr (Gerenciador de sessão de ajuda de área de trabalho remota)

> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!

>> Security: disk drives' autorun is enabled

>> Security: administrative shares (C$, D$ ...) are enabled

>> Security: anonymous user access is enabled

>> Security: sending Remote Assistant queries is enabled

Checking - complete

9. Troubleshooting wizard

>> HDD autorun are allowed

>> Autorun from network drives are allowed

>> Removable media autorun are allowed

Checking - complete

Files scanned: 452967, extracted from archives: 369153, malicious software found 12, suspicions - 2

Scanning finished at 2/5/2009 03:36:41

Time of scanning: 01:51:27

If you have a suspicion on presence of viruses or questions on the suspected objects,

you can address http://virusinfo.info conference

 

---------------

view_log:

---------------

C:\Arquivos de programas\Arquivos comuns\Windows Live\.cache\1528308e1c9c262\fssclient_x86.msi 1 Trojan.Kyjak

C:\Arquivos de programas\Arquivos comuns\Windows Live\.cache\19553e1c1c99dc4\fssclient_x86.msi 1 Trojan.Kyjak

C:\Documents and Settings\Usuário\Configurações locais\Temp\0421064400000a5c6enyiexr4w\fssclient_x86.msi 1 Trojan.Kyjak

C:\Documents and Settings\Usuário\Configurações locais\Temp\0425142000000a1cm51ngef7f5\fssclient_x86.msi 1 Trojan.Kyjak

C:\Documents and Settings\Usuário\Meus documentos\Meus arquivos recebidos\jonas95851441922253\Histórico\darlan.madden_stronda240960986.xml 2 Suspicion for Trojan-Downloader.Win32.Small.alb ( 09AB59DD 093F1A28 0017B7F6 00000000 9219)

C:\System Volume Information\_restore{016C3B26-4755-48D3-BB31-008A539A8BA7}\RP152\A0133649.msi 1 Trojan.Kyjak

C:\System Volume Information\_restore{016C3B26-4755-48D3-BB31-008A539A8BA7}\RP160\A0140968.msi 1 Trojan.Kyjak

C:\System Volume Information\_restore{016C3B26-4755-48D3-BB31-008A539A8BA7}\RP160\A0141170.msi 1 Trojan.Kyjak

C:\System Volume Information\_restore{016C3B26-4755-48D3-BB31-008A539A8BA7}\RP160\A0142220.msi 1 Trojan.Kyjak

C:\System Volume Information\_restore{016C3B26-4755-48D3-BB31-008A539A8BA7}\RP196\A0177895.msi 1 Trojan.Kyjak

C:\System Volume Information\_restore{016C3B26-4755-48D3-BB31-008A539A8BA7}\RP198\A0181873.rbf 1 Trojan.Kyjak

C:\System Volume Information\_restore{016C3B26-4755-48D3-BB31-008A539A8BA7}\RP199\A0182308.msi 1 Trojan.Kyjak

C:\WINDOWS\$NtServicePackUninstall$\format.com 3 PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)

C:\WINDOWS\$NtServicePackUninstall$\more.com 3 PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)

C:\WINDOWS\$NtServicePackUninstall$\reg01409 2 Suspicion for Trojan.Win32.RamEater.10 ( 00025876 00000000 00159777 00128BDF 28672)

C:\WINDOWS\$NtServicePackUninstall$\tree.com 3 PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)

C:\WINDOWS\Installer\207d17.msi 1 Trojan.Kyjak

[DigRam 144]

Bom Dia! Jonas Moreira

 

<@> Abra o avz4 e delete os arquivos,que estão quarantinados.

<@> Clique em File --> 'Quarantine Folder Viewer.

<@> Marque todas as caixinhas,e clique em Delete --> Yes!

<@> Clique,também,em Delete folder --> Yes --> OK.

<><><><><><><><><><><>

<@> Clique com o botão direito do mouse,em cima de Meu Computador --> Propriedades --> Restauração do Sistema.

<@> Marque: Desativar Restauração do Sistema --> Aplicar --> Ok.

<@> Vá em Iniciar --> Executar --> Digite: cleanmgr --> Aguarde!

<@> No Utilitário de limpeza de disco,marque todas as caixas e confirme!

<@> Terminando,e com a RS ainda desabilitada,faça um scan com o Nod32.

<@> Concluindo,vá à Restauração e,novamente,desmarque a caixa.

<@> Clique em Aplicar --> Ok.

<@> Faça outro scan,com o avz4,e poste: avz_log.txt + view_log.txt <--

 

Abraços!

[Mário Monteiro 179]

Tópico Arquivado

 

Como o autor não respondeu por mais de 30 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.