[Resolvido!] Virus, Trojans e Backdoors

AndGoe · Julho 23, 2009

Boa tarde.

O Laptop de minha esposa está infestado de Trojans e backdoors.

Toda hora o firewall do WinXP pede autorização para liberrar portas.

O HD está particionado em dois e até no "D" tem virus.

Já passei o Malwarebyte´s em modo de segurança e não resolve.

Cada vez aparece mais ocorrencias.

Segue o Log do hijackthis.

Obrigado,

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 05:28:21, on 23/7/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\IVT Corporation\BlueSoleil\BTNtService.exe

C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\WINDOWS\sm56hlpr.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\mHotkey.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\BisonCam\BisonHK.exe

C:\WINDOWS\System32\TUProgSt.exe

C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Windows Sidebar\sidebar.exe

C:\WINDOWS\system32\oobe\sample\tclock.exe

C:\DOCUME~1\TANIAA~1\CONFIG~1\Temp\{86C1FF05-04C1-4CA6-871C-23B970A52778}\VistaBTSe7en.exe

C:\WINDOWS\system32\bndmss.exe

C:\Arquivos de programas\Windows Sidebar\sidebar.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\DOCUME~1\TANIAA~1\CONFIG~1\Temp\941.exe

C:\WINDOWS\system32\wuauclt.exe

D:\Install\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bndmss.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Advanced DHTML Enable] C:\DOCUME~1\TANIAA~1\CONFIG~1\Temp\941.exe

O4 - HKLM\..\Run: [Windows Network Data Management System Service] "C:\WINDOWS\system32\bndmss.exe" *

O4 - HKLM\..\Run: [synTPEnh] C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [sMSERIAL] C:\WINDOWS\sm56hlpr.exe

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [bisonHK] C:\WINDOWS\BisonCam\BisonHK.exe

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [12CFG914-K641-26SF-N32P] C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')

O4 - Global Startup: Atalho para sidebar.lnk = C:\Arquivos de programas\Windows Sidebar\sidebar.exe

O4 - Global Startup: Atalho para tclock.lnk = C:\WINDOWS\system32\oobe\sample\tclock.exe

O4 - Global Startup: VistaBTSe7en.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1244755943312

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Arquivos de programas\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Windows Network Data Management System Service (BNDMSS) - Unknown owner - C:\WINDOWS\system32\bndmss.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe

O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--

End of file - 7175 bytes

PedroN · Julho 23, 2009

Faça o download do ComboFix de um destes locais:

Link 1.

Link 2.

Link 3.

Importante!

Você não deve usar Combofix a menos que você tenha sido instruído a fazê-lo por um análista de segurança.

Destina-se pelo seu criador para ser utilizado sob orientação e supervisão de um especialista, e não para uso privado.

Utilizando esta ferramenta incorreto poderia levar a desastrosa problemas com o seu sistema operacional.

Certifique-se de que você salvou ComboFix.exe para o seu desktop.

• Desabilite o seu Antivírus e AntiSpyware , geralmente através de um clique direito sobre o ícone da bandeja do sistema. Eles podem interferir na execução da ferramenta.

• Dê um duplo clique no ComboFix.exe & siga as instruções.

• Como parte de seu processo, ComboFix irá verificar se o Microsoft Windows Recovery Console está instalado. Como as infecções de malware são hoje, é fortemente recomendado que esteja pré-instalado em sua máquina antes de fazer qualquer remoção de malware. Ela permitirá que você arrancar em especial uma recuperação / reparação modo a permitir-nos-á mais fácil ajudá-lo a seu computador deve ter um problema após uma tentativa de remoção de malware.

• Siga as instruções para permitir ComboFix para baixar e instalar o Microsoft Windows Recovery Console e, quando for solicitado, concordar com o End-User License Agreement para instalar o Microsoft Windows Recovery Console.

-- Atenção: Se a consola de recuperação do Microsoft Windows já estiver instalado, ComboFix irá continuar a sua remoção malware procedimentos.

Uma vez que o Microsoft Windows Recovery Console é instalado usando o ComboFix, você deverá ver a seguinte mensagem:

Clique em Sim, para continuar a varredura de malware.

Quando terminar, ela deve produzir um log para você. Poste o relatorio do combofix que estar em C: \ ComboFix.txt junto com um log do hijackthis.

AndGoe · Julho 23, 2009

PedroN

Obrigado pela atenção.

Procedi de acordo como você falou.

Segue o log do ComboFix e abaixo o do HijackThis.

ComboFix 09-07-23.01 - TaniaArruda 23/07/2009 16:40.2.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.1983.1596 [GMT -3:00]

Executando de: c:\documents and settings\TaniaArruda\Desktop\ComboFix.exe

.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-06-23 to 2009-07-23 ))))))))))))))))))))))))))))

.

2009-07-22 16:00 . 2009-07-22 16:00 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Malwarebytes

2009-07-22 15:57 . 2009-07-22 15:57 10752 ----a-w- c:\windows\DCEBoot.exe

2009-07-22 15:49 . 2009-07-22 15:49 -------- d-----w- c:\documents and settings\TaniaArruda\Dados de aplicativos\Malwarebytes

2009-07-22 15:49 . 2009-07-13 16:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-22 15:49 . 2009-07-22 15:49 -------- d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware

2009-07-22 15:49 . 2009-07-22 15:49 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes

2009-07-22 15:49 . 2009-07-13 16:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-22 06:00 . 2009-07-22 06:00 -------- d-----w- c:\windows\ie8updates

2009-07-21 12:07 . 2009-04-30 21:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2009-07-21 12:07 . 2009-04-30 21:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2009-07-20 22:40 . 2009-07-20 22:40 -------- d-sh--w- c:\documents and settings\TaniaArruda\IECompatCache

2009-07-20 22:39 . 2009-07-20 22:39 -------- d-sh--w- c:\documents and settings\TaniaArruda\PrivacIE

2009-07-20 22:35 . 2009-07-20 22:35 -------- d-sh--w- c:\documents and settings\TaniaArruda\IETldCache

2009-07-20 22:30 . 2009-07-20 22:31 -------- dc-h--w- c:\windows\ie8

2009-07-20 15:22 . 2008-04-13 10:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys

2009-07-20 15:22 . 2008-04-13 10:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

2009-07-18 15:58 . 2009-07-18 15:58 -------- d-----w- c:\windows\NV2752932.TMP

2009-07-18 15:54 . 2009-02-09 11:17 2070400 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe

2009-07-18 15:54 . 2009-02-09 11:17 2149376 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2009-07-18 15:54 . 2009-02-09 11:17 2028032 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2009-07-16 15:30 . 2009-07-16 15:31 -------- d-----w- c:\windows\system32\Adobe

2009-07-13 00:47 . 2009-07-13 00:55 -------- d-----w- c:\documents and settings\TaniaArruda\.housecall6.6

2009-07-11 18:37 . 2009-07-11 18:38 -------- d-----w- C:\$WIN_NT$.~BT

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-22 16:31 . 2001-09-28 03:30 78788 ----a-w- c:\windows\system32\perfc016.dat

2009-07-22 16:31 . 2001-09-28 03:30 472132 ----a-w- c:\windows\system32\perfh016.dat

2009-06-20 00:29 . 2009-06-12 21:55 -------- d-----w- c:\arquivos de programas\TuneUp Utilities 2009

2009-06-16 14:39 . 2008-04-13 13:50 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:39 . 2008-04-13 13:50 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-13 12:42 . 2009-06-13 12:40 -------- d--h--w- c:\arquivos de programas\Scpad

2009-06-12 21:55 . 2009-06-12 21:55 604416 ----a-w- c:\windows\system32\TUProgSt.exe

2009-06-12 21:55 . 2009-06-12 21:55 361216 ----a-w- c:\windows\system32\TuneUpDefragService.exe

2009-06-12 21:55 . 2009-06-12 21:55 -------- d-----w- c:\documents and settings\TaniaArruda\Dados de aplicativos\TuneUp Software

2009-06-12 21:55 . 2009-06-12 21:55 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\TuneUp Software

2009-06-12 21:54 . 2009-06-12 21:54 -------- d-sh--w- c:\documents and settings\All Users\Dados de aplicativos\{55A29068-F2CE-456C-9148-C869879E2357}

2009-06-12 19:36 . 2009-06-11 20:19 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-06-12 12:16 . 2009-06-12 12:16 -------- d-----w- c:\arquivos de programas\Realtek

2009-06-11 22:29 . 2009-06-11 21:43 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\NOS

2009-06-11 22:29 . 2009-06-11 21:43 -------- d-----w- c:\arquivos de programas\NOS

2009-06-11 21:49 . 2009-06-11 21:49 -------- d-----w- c:\arquivos de programas\IrfanView

2009-06-11 21:45 . 2009-06-11 21:44 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Adobe

2009-06-11 21:23 . 2009-06-11 21:23 -------- d-----w- c:\arquivos de programas\Marcos Velasco Security

2009-06-11 21:14 . 2009-06-11 21:14 -------- d-----w- c:\arquivos de programas\XP Codec Pack

2009-06-11 21:09 . 2009-06-11 21:09 -------- d-----w- c:\documents and settings\TaniaArruda\Dados de aplicativos\Media Player Classic

2009-06-11 20:34 . 2009-06-11 20:34 -------- d-----w- c:\arquivos de programas\MSBuild

2009-06-11 20:34 . 2009-06-11 20:34 -------- d-----w- c:\arquivos de programas\Reference Assemblies

2009-06-11 20:26 . 2009-06-11 20:26 -------- d-----w- c:\arquivos de programas\Windows Sidebar

2009-06-11 20:26 . 2009-06-11 20:26 -------- d-----w- c:\arquivos de programas\microsoft frontpage

2009-06-11 20:25 . 2009-06-11 20:25 -------- d-----w- c:\arquivos de programas\Alky for Applications

2009-06-11 20:23 . 2009-06-11 20:23 -------- d-----w- c:\arquivos de programas\CCleaner

2009-06-11 20:21 . 2009-06-11 20:21 -------- d-----w- c:\arquivos de programas\Windows Live

2009-06-11 20:19 . 2009-06-11 20:19 -------- d-----w- c:\arquivos de programas\Serviços on-line

2009-06-11 20:18 . 2009-06-11 20:18 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Serviços

2009-06-11 20:17 . 2009-06-11 20:17 21844 ----a-w- c:\windows\system32\emptyregdb.dat

2009-06-11 20:17 . 2009-06-11 20:17 -------- d-----w- c:\arquivos de programas\Windows Media Connect 2

2009-06-11 13:23 . 2009-06-11 13:23 -------- d-----w- c:\arquivos de programas\Microsoft.NET

2009-06-11 12:53 . 2009-06-11 12:53 -------- d-----w- c:\arquivos de programas\IVT Corporation

2009-06-11 12:49 . 2009-06-11 20:23 -------- d-----w- c:\arquivos de programas\Java

2009-06-11 12:49 . 2009-06-11 12:45 152576 ----a-w- c:\documents and settings\TaniaArruda\Dados de aplicativos\Sun\Java\jre1.6.0_13\lzma.dll

2009-06-11 12:24 . 2009-06-11 12:24 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\nView_Profiles

2009-06-11 12:22 . 2009-06-12 12:16 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information

2009-06-11 12:21 . 2009-06-11 12:21 -------- d-----w- c:\documents and settings\TaniaArruda\Dados de aplicativos\InstallShield

2009-06-11 12:19 . 2009-06-11 12:19 -------- d-----w- c:\arquivos de programas\DIFX

2009-06-11 12:17 . 2009-06-11 12:17 -------- d-----w- c:\arquivos de programas\Synaptics

2009-06-11 12:17 . 2009-06-11 19:43 -------- d-----w- c:\arquivos de programas\Arquivos comuns\InstallShield

2009-06-03 19:12 . 2009-01-13 03:23 1295872 ----a-w- c:\windows\system32\quartz.dll

2009-05-13 05:03 . 2008-10-16 19:23 915456 ----a-w- c:\windows\system32\wininet.dll

2009-05-07 15:33 . 2008-04-13 13:50 347136 ----a-w- c:\windows\system32\localspl.dll

2009-04-27 17:21 . 2009-06-12 21:55 28928 ----a-w- c:\windows\system32\uxtuneup.dll

2008-10-26 23:46 . 2009-06-11 20:25 107597 ----a-w- c:\arquivos de programas\Settings.exe

.

------- Sigcheck -------

[-] 2009-01-13 07:14 361600 E88631E21A9CACA06104802F9E915115 c:\windows\system32\drivers\tcpip.sys

[-] 2009-01-14 07:52 1571840 FD7CF3BCCBC3F88094901A69A2C89664 c:\windows\system32\sfcfiles.dll

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-27 7561216]

"SynTPEnh"="c:\arquivos de programas\Synaptics\SynTP\SynTPEnh.exe" [2005-08-01 729177]

"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"SMSERIAL"="c:\windows\sm56hlpr.exe" [2006-04-05 565248]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]

"BisonHK"="c:\windows\BisonCam\BisonHK.exe" [2007-10-03 77824]

"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-06-13 16239616]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-04-27 1519616]

"CHotkey"="mHotkey.exe" - c:\windows\mHotkey.exe [2001-12-26 472576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"_nltide_2"="shell32" [X]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

Atalho para sidebar.lnk - c:\arquivos de programas\Windows Sidebar\sidebar.exe [2007-7-28 1230848]

Atalho para tclock.lnk - c:\windows\system32\oobe\sample\tclock.exe [2009-6-11 135168]

VistaBTSe7en.exe [2007-7-20 1222144]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^24.EXE]

backup=c:\windows\pss\24.EXECommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Temporary Shortcut.lnk]

backup=c:\windows\pss\Temporary Shortcut.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [12/6/2009 18:55 604416]

S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [11/6/2009 13:11 194304]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]

"c:\arquivos de programas\Windows Sidebar\sidebar.exe" /RegServer

.

Conteúdo da pasta 'Tarefas Agendadas'

2009-07-20 c:\windows\Tasks\1-Click Maintenance.job

- c:\arquivos de programas\TuneUp Utilities 2009\OneClickStarter.exe [2009-04-27 18:37]

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.terra.com.br/

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-23 16:42

Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'explorer.exe'(1936)

c:\windows\system32\WININET.dll

c:\windows\system32\msi.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\wpdshserviceobj.dll

c:\windows\system32\portabledevicetypes.dll

c:\arquivos de programas\Scpad\scpLIB.dll

c:\arquivos de programas\Scpad\scpMIB.dll

c:\arquivos de programas\Scpad\sshib.dll

c:\windows\system32\portabledeviceapi.dll

.

Tempo para conclusão: 2009-07-23 16:43

ComboFix-quarantined-files.txt 2009-07-23 19:43

Pré-execução: 10 pasta(s) 30.293.622.784 bytes disponíveis

Pós execução: 10 pasta(s) 30.285.541.376 bytes disponíveis

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /kernel=bootnew7.exe

multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

174 --- E O F --- 2009-07-22 06:00

Agora o do Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:45:55, on 23/7/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\IVT Corporation\BlueSoleil\BTNtService.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\TUProgSt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\WINDOWS\sm56hlpr.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

C:\WINDOWS\mHotkey.exe

C:\WINDOWS\BisonCam\BisonHK.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Windows Sidebar\sidebar.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTW10.exe

C:\WINDOWS\explorer.exe