[Resolvido!] AntiVirus sendo deletado/apagado

PauloPR · Agosto 16, 2009

Boa noite pessoal,

estou com um problema em meu computador. Instalei o antivirus Avast nele e após alguns dias verifiquei que o mesmo foi apagado. Quando inicializei o windows, abriu um arquivo chamado "avenger.txt" com várias informações: "Logfile of the Avenger Version 2.0 by Swangdog 46....". No meio do texto, encontrei a instrução para deletar meu antivirius Avast.

Como solicitado por vocês do Forum, executei o HijackThis. Segue abaixo o arquivo LOG:

Espero que me ajudem.

Agradeço pela atenção.

Paulo

***** INICIO *****

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:49:16, on 16/8/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\DOCUME~1\Thais\CONFIG~1\Temp\WindowsDefender.exe

C:\Hijack\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

O1 - Hosts: 199.238.144.115 www.checktudo.com.br

O1 - Hosts: 199.238.144.115 checktudo.com.br

O1 - Hosts: 199.238.144.115 visanet.com.br

O1 - Hosts: 199.238.144.115 www.visanet.com.br

O1 - Hosts: 199.238.144.115 www.openbank.es

O1 - Hosts: 199.238.144.115 openbank.es

O1 - Hosts: 199.238.144.115 www.lacaixa.es

O1 - Hosts: 199.238.144.115 lacaixa.es

O1 - Hosts: 199.238.144.115 www.bancoreal.com.br

O1 - Hosts: 199.238.144.115 www.real.com.br

O1 - Hosts: 199.238.144.115 www.itau.com.br

O1 - Hosts: 199.238.144.115 itau.com.br

O1 - Hosts: 199.238.144.115 www.itaupersonnalite.com.br

O1 - Hosts: 199.238.144.115 itaupersonnalite.com.br

O1 - Hosts: 199.238.144.115 www.itauprivatebank.com.br

O1 - Hosts: 199.238.144.115 itauprivatebank.com.br

O1 - Hosts: 199.238.144.115 www.bb.com.br

O1 - Hosts: 199.238.144.115 bb.com.br

O1 - Hosts: 199.238.144.115 www.bb.gov.br

O1 - Hosts: 199.238.144.115 bb.gov.br

O1 - Hosts: 199.238.144.115 bradesco.com.br

O1 - Hosts: 199.238.144.115 www.bradesco.com.br

O1 - Hosts: 199.238.144.115 www.bradescoprime.com.br

O1 - Hosts: 199.238.144.115 bradescoprime.com.br

O1 - Hosts: 199.238.144.115 bradescojuridico.com.br

O1 - Hosts: 199.238.144.115 www.infoseg.gov.br

O1 - Hosts: 199.238.144.115 infoseg.gov.br

O1 - Hosts: 199.238.144.115 www.real.com.br

O1 - Hosts: 199.238.144.115 real.com.br

O1 - Hosts: 199.238.144.115 www.bradescojuridico.com.br

O1 - Hosts: 199.238.144.115 santander.com.br

O1 - Hosts: 199.238.144.115 www.santander.com.br

O1 - Hosts: 199.238.144.115 banespa.com.br

O1 - Hosts: 199.238.144.115 www.nossacaixa.com.br

O1 - Hosts: 199.238.144.115 nossacaixa.com.br

O1 - Hosts: 199.238.144.115 www.unibanco.com.br

O1 - Hosts: 199.238.144.115 unibanco.com.br

O1 - Hosts: 199.238.144.115 www.banespa.com.br

O1 - Hosts: 199.238.144.115 banespa.com.br

O1 - Hosts: 199.238.144.115 www.itauprivatebank.com.br

O1 - Hosts: 199.238.144.115 itauprivatebank.com.br

O1 - Hosts: 199.238.144.115 caixacatalunya.es

O1 - Hosts: 199.238.144.115 www.caixacatalunya.es

O1 - Hosts: 199.238.144.115 banesto.es

O1 - Hosts: 199.238.144.115 www.banesto.es

O1 - Hosts: 199.238.144.115 www.cajamadrid.es

O1 - Hosts: 199.238.144.115 cajamadrid.es

O1 - Hosts: 199.238.144.115 www.bbva.es

O1 - Hosts: 199.238.144.115 bbva.es

O1 - Hosts: 199.238.144.115 serasa.com.br

O1 - Hosts: 199.238.144.115 www.serasa.com.br

O1 - Hosts: 199.238.144.115 www.cam.es

O1 - Hosts: 199.238.144.115 cam.es

O1 - Hosts: 199.238.144.115 portal.lacaixa.es

O1 - Hosts: 199.238.144.115 www.banespa.com.br

O1 - Hosts: 198.65.62.140 www.caixa.com.br

O1 - Hosts: 198.65.62.140 caixa.com.br

O1 - Hosts: 198.65.62.140 www.caixaeconomicafederal.com.br

O1 - Hosts: 198.65.62.140 caixaeconomicafederal.com.br

O1 - Hosts: 198.65.62.140 www.cef.com.br

O1 - Hosts: 198.65.62.140 cef.com.br

O1 - Hosts: 198.65.62.140 www.caixa.gov.br

O1 - Hosts: 198.65.62.140 caixa.gov.br

O1 - Hosts: 198.65.62.140 www.caixaeconomica.com.br

O1 - Hosts: 198.65.62.140 caixaeconomica.com.br

O1 - Hosts: 198.65.62.140 www.caixaeconomica.gov.br

O1 - Hosts: 198.65.62.140 caixaeconomica.gov.br

O1 - Hosts: 198.65.62.140 www.cef.gov.br

O1 - Hosts: 198.65.62.140 www.caixaeconomicafederal.gov.br

O1 - Hosts: 198.65.62.140 caixaeconomicafederal.gov.br

O1 - Hosts: 199.238.144.115 cetelem.com.br

O1 - Hosts: 199.238.144.115 www.cetelem.com.br

O1 - Hosts: 199.238.144.115 citibank.com.br

O1 - Hosts: 199.238.144.115 www.citibank.com.br

O1 - Hosts: 199.238.144.115 www.pagamentodigital.com.br

O1 - Hosts: 199.238.144.115 pagamentodigital.com.br

O1 - Hosts: 199.238.144.115 www.cartaobndes.gov.br

O1 - Hosts: 199.238.144.115 cartaobndes.gov.br

O1 - Hosts: 199.238.144.115 americanas.com.br

O1 - Hosts: 199.238.144.115 www.americanas.com.br

O1 - Hosts: 199.238.144.115 americanas.com

O1 - Hosts: 199.238.144.115 www.americanas.com

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MessengerPlus] "C:\DOCUME~1\Thais\CONFIG~1\Temp\WindowsDefender.exe"

O4 - HKCU\..\Run: [WindowsDef] "C:\DOCUME~1\Thais\CONFIG~1\Temp\WindowsDefender.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1248638962390

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1249845131125

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe (file missing)

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe (file missing)

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe (file missing)

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

--

End of file - 9150 bytes

***** FIM *****

Power Max · Agosto 17, 2009

:thumbsup: Olá Paulo!

:seta: Faça o download do HostsXpert.zip:

http://www.funkytoad.com/download/HostsXpert.zip

• Extraia (unzip) HostsXpert.zip para uma pasta permanente do seu drive (exemplo C:\HostsXpert)

• Duplo clique em HostsXpert.exe para executar o programa.

• Se disponivel, clique em "Make Hosts Writable?" (estará no canto superior direito).

• Clique em "Restore Microsoft's Hosts file" e depois clique em "OK".

• Clique no X para sair do programa.

________________________________________________________

:seta: Sugiro que você salve ou imprima essas instruções abaixo, pois em alguns momentos você poderá precisar usar o computador sem o acesso à internet:

Faça o download do ComboFix

1) Desabilite o seu anti-vírus temporariamente;

2) Dê um duplo-clique no combofix.exe e aguarde (o processo total demora cerca de 10 minutos);

3) A janela de “NEGAÇÃO DE GARANTIA DO SOFTWARE” abrir-se-á. Clique em “SIM” para continuar.

4) Outra janela irá abrir, caso a sua máquina não possua o CONSOLE DE RECUPERAÇÃO DO WINDOWS. É recomendável executar a instalação do console antes de dar continuidade ao processo, pois tal ação proporcionará a garantia de que o sistema poderá ser recuperado em caso de problemas durante a varredura.

Clique sobre “SIM” e aguarde, pois o processo de instalação do console dar-se-á automaticamente através do próprio ComboFix. Ele poderá demorar alguns minutos (dependerá da velocidade de sua conexão), portanto seja paciente.

Quando a janela “INSTALANDO O CONSOLE DE RECUPERAÇÃO” aparecer clique em “OK”, depois clique sobre “SIM” para aceitar a licença EULA.

Ao término da instalação do console de recuperação abrir-se-á uma janela avisando que “O CONSOLE DE RECUPERAÇÃO FOI INSTALADO COM SUCESSO”.

Clique sobre “SIM” para continuar a varredura.

5) O ComboFix iniciará o AUTOSCAN (aguarde).

ATENÇÃO: Não clique na janela do ComboFix, nem termine o processo abruptamente enquanto a ferramenta estiver sendo executada, pois isto implicará na desconfiguração de seu desktop (ele ficará todo branco).

Ao término do processo a máquina será reiniciada para a emissão do relatório.

6) Ao reiniciar a máquina o ComboFix irá executar o FIND3M para a criação do relatório final da varredura. O log dele estará em C:\ComboFix.txt.

7) Reabilite o seu anti-vírus;

OBS.1: Caso apareça uma mensagem avisando que ESTE NÃO É UM APLICATIVO WIN 32 VÁLIDO ou caso os virus ou malwares bloqueiem a execução do Combofix, baixe o ComboFix novamente, mas salve-o em seu Desktop como KomboFix. Neste caso, nomeie-o como Kombofix durante o salvamento e não após salvá-lo!

Em último caso, se não for possível executar o Combofix no Modo Normal do Windows, tente utilizar o ComboFix em MODO SEGURO (reiniciando o computador e pressionando a tecla F8 intermitentemente, ou F5 em alguns casos, durante a inicialização e escolha a opção Modo Seguro na tela que se apresenta) e repita o procedimento;

OBS.2: Caso haja um clique sobre a janela do ComboFix em execução, ela irá MAXIMIZAR, sobrepondo-se sobre as demais. Para minimizá-la novamente basta utilizar a combinação ALT + TAB.

* Se por algum motivo você precisar parar ou sair do ComboFix, tecle "N".

* Se perder a conexão com a internet, reinicie o computador. Caso o problema persista, abra Conexões de Rede no Painel de Controle, clique com o botão direito do mouse sobre a sua conexão com a internet e em "Reparar";

Poste o log do Combofix que estará em C:\ComboFix.txt juntamente com um novo log do Hijackthis em sua próxima resposta e nos diga como está o seu PC depois disto.

Ficamos no aguardo.

PauloPR · Agosto 20, 2009

Olá Antonio,

primeiramente obrigado pela ajuda. Executei os dois softwares conforme suas instruções. Segue abaixo os logs:

COMBOFIX.txt

******* INICIO ********

ComboFix 09-08-19.01 - Thais 19/08/2009 22:43.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.511.299 [GMT -3:00]

Executando de: c:\documents and settings\Thais\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1335 [VPS 090810-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

* Criado um novo ponto de restauração

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Fonts\AcadEref.ttf

c:\windows\system32\msssc.dll

.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-07-20 to 2009-08-20 ))))))))))))))))))))))))))))

.

2009-08-20 01:25 . 2009-08-20 01:25 -------- d-----w- C:\HostsXpert

2009-08-20 01:00 . 2009-08-20 01:34 598 ----a-w- C:\sysb.bat

2009-08-16 21:48 . 2009-08-16 21:49 -------- d-----w- C:\Hijack

2009-08-11 00:12 . 2009-08-20 01:34 598 ----a-w- C:\fsys.bat

2009-08-09 22:49 . 2008-04-14 02:20 26624 ----a-w- c:\documents and settings\LocalService\Dados de aplicativos\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

2009-08-09 22:28 . 2008-04-13 18:45 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys

2009-08-09 20:49 . 2006-06-29 16:07 14048 ------w- c:\windows\system32\spmsg2.dll

2009-08-08 21:45 . 2009-08-08 22:06 -------- d-----w- c:\arquivos de programas\AutoCAD 2008

2009-08-08 21:45 . 2009-08-08 21:45 -------- d-----w- c:\documents and settings\Thais\Dados de aplicativos\Autodesk

2009-08-08 21:45 . 2009-08-08 21:45 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Autodesk

2009-08-08 21:43 . 2009-08-08 22:06 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Autodesk Shared

2009-08-08 21:43 . 2009-08-08 21:43 -------- d-----w- c:\arquivos de programas\Autodesk

2009-08-08 21:13 . 2003-06-19 04:31 17920 ----a-w- c:\windows\system32\mdimon.dll

2009-08-08 21:09 . 2009-08-08 21:09 -------- d-----w- c:\arquivos de programas\Microsoft Works

2009-08-08 21:08 . 2009-08-08 21:10 -------- d-----w- c:\windows\SHELLNEW

2009-08-08 21:07 . 2009-08-08 21:07 -------- d-----w- c:\arquivos de programas\Microsoft.NET

2009-08-02 23:17 . 2009-08-02 23:29 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\NOS

2009-08-02 23:17 . 2009-08-02 23:29 -------- d-----w- c:\arquivos de programas\NOS

2009-08-02 23:01 . 2009-08-02 23:01 -------- d-----w- c:\windows\Sun

2009-08-02 22:53 . 2009-08-17 15:43 -------- d-----w- c:\documents and settings\Thais\Tracing

2009-08-02 22:46 . 2009-08-02 22:46 -------- d-----w- c:\arquivos de programas\Microsoft

2009-08-02 22:46 . 2009-08-02 22:46 -------- d-----w- c:\arquivos de programas\Windows Live SkyDrive

2009-08-02 22:46 . 2009-08-02 22:46 -------- d-----w- c:\arquivos de programas\Windows Live

2009-08-02 22:04 . 2009-08-02 22:04 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-08-02 22:04 . 2009-08-02 22:04 -------- d-----w- c:\arquivos de programas\Java

2009-08-02 22:04 . 2009-08-02 22:04 152576 ----a-w- c:\documents and settings\Thais\Dados de aplicativos\Sun\Java\jre1.6.0_14\lzma.dll

2009-08-02 21:42 . 2009-08-02 21:42 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Windows Live

2009-08-02 14:29 . 2009-08-02 14:29 -------- d-----w- c:\documents and settings\Thais\Dados de aplicativos\Windows Search

2009-08-02 14:12 . 2009-08-09 20:49 -------- d-----w- c:\windows\system32\XPSViewer

2009-08-02 14:12 . 2009-08-02 14:12 -------- d-----w- c:\arquivos de programas\MSBuild

2009-08-02 14:12 . 2009-08-02 14:12 -------- d-----w- c:\arquivos de programas\Reference Assemblies

2009-08-02 14:12 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-08-02 14:12 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-08-02 14:12 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-08-02 14:12 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-08-02 14:12 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-08-02 14:12 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2009-08-02 14:12 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-08-02 05:32 . 2009-08-02 05:32 -------- d-----w- c:\documents and settings\Thais\Dados de aplicativos\Windows Desktop Search

2009-08-02 05:32 . 2009-08-02 21:11 -------- d-----w- c:\arquivos de programas\Windows Desktop Search

2009-08-02 05:32 . 2009-08-02 05:32 -------- d-----w- c:\windows\system32\GroupPolicy

2009-08-02 05:31 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll

2009-08-02 05:31 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll

2009-08-02 05:31 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll

2009-08-02 05:31 . 2009-08-02 05:31 -------- d-----w- c:\arquivos de programas\Windows Media Connect 2

2009-08-02 05:30 . 2009-08-02 05:30 -------- d-----w- c:\windows\system32\drivers\UMDF

2009-08-02 05:30 . 2009-08-02 05:30 -------- d-----w- c:\windows\system32\LogFiles

2009-08-02 05:28 . 2009-08-02 05:29 -------- d-----w- c:\windows\system32\URTTemp

2009-08-02 03:23 . 2009-03-06 14:20 286208 -c----w- c:\windows\system32\dllcache\pdh.dll

2009-08-02 03:23 . 2009-02-09 11:25 2193280 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2009-08-02 03:23 . 2009-02-09 11:25 111104 -c----w- c:\windows\system32\dllcache\services.exe

2009-08-02 03:23 . 2009-02-09 10:53 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll

2009-08-02 03:23 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe

2009-08-02 03:23 . 2009-02-09 10:53 731648 -c----w- c:\windows\system32\dllcache\lsasrv.dll

2009-08-02 03:23 . 2009-02-09 10:53 730624 -c----w- c:\windows\system32\dllcache\ntdll.dll

2009-08-02 03:23 . 2009-02-09 10:53 683520 -c----w- c:\windows\system32\dllcache\advapi32.dll

2009-08-02 03:23 . 2009-02-09 10:53 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll

2009-08-02 03:23 . 2009-02-09 10:53 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll

2009-08-02 03:23 . 2009-02-09 11:25 2028032 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2009-08-02 03:23 . 2009-02-09 11:25 2149376 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2009-08-02 03:17 . 2008-04-21 21:15 216064 -c----w- c:\windows\system32\dllcache\wordpad.exe

2009-08-02 03:08 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys

2009-08-02 02:53 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2009-08-02 02:50 . 2008-09-04 17:16 1106944 -c----w- c:\windows\system32\dllcache\msxml3.dll

2009-08-02 02:49 . 2008-10-15 16:36 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll

2009-08-02 02:48 . 2008-05-01 14:36 331776 -c----w- c:\windows\system32\dllcache\msadce.dll

2009-08-02 02:45 . 2008-04-11 19:05 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll

2009-08-02 02:43 . 2008-05-09 10:55 90112 -c----w- c:\windows\system32\dllcache\wshext.dll

2009-08-02 02:43 . 2008-05-09 10:55 430080 -c----w- c:\windows\system32\dllcache\vbscript.dll

2009-08-02 02:43 . 2008-05-09 10:55 512000 -c----w- c:\windows\system32\dllcache\jscript.dll

2009-08-02 02:43 . 2008-05-09 10:55 180224 -c----w- c:\windows\system32\dllcache\scrobj.dll

2009-08-02 02:43 . 2008-05-09 10:55 172032 -c----w- c:\windows\system32\dllcache\scrrun.dll

2009-08-02 02:43 . 2008-05-09 08:45 135168 -c----w- c:\windows\system32\dllcache\cscript.exe

2009-08-02 02:43 . 2008-05-08 11:24 155648 -c----w- c:\windows\system32\dllcache\wscript.exe

2009-08-02 02:34 . 2008-06-14 17:34 272384 -c----w- c:\windows\system32\dllcache\bthport.sys

2009-08-02 02:33 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys

2009-08-02 01:00 . 2009-08-09 20:49 -------- d-----w- c:\windows\system32\pt-br

2009-08-02 01:00 . 2009-08-02 01:00 -------- d-----w- c:\windows\l2schemas

2009-08-02 01:00 . 2009-08-02 01:00 -------- d-----w- c:\windows\system32\bits

2009-08-02 00:58 . 2009-08-02 01:00 -------- d-----w- c:\windows\ServicePackFiles

2009-07-28 23:20 . 2004-08-04 03:36 701440 ------w- c:\windows\system32\drivers\ati2mtag.sys

2009-07-26 21:51 . 2009-05-12 18:12 26144 ----a-w- c:\windows\system32\spupdsvc.exe

2009-07-26 21:51 . 2009-08-09 20:02 -------- d--h--w- c:\windows\$hf_mig$

2009-07-26 20:16 . 2008-10-16 17:09 43544 ----a-w- c:\windows\system32\wups2.dll

2009-07-26 19:53 . 2009-07-26 19:53 -------- d-s---w- c:\documents and settings\Thais\UserData

2009-07-26 19:48 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\usbaudio.sys

2009-07-26 19:46 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

2009-07-26 19:31 . 2009-07-26 19:31 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Adobe

2009-07-26 19:30 . 2009-07-26 19:30 -------- d-----w- c:\windows\nvidia icons

2009-07-26 19:30 . 2009-07-26 19:30 -------- d-----w- c:\windows\nview

2009-07-26 19:30 . 2008-05-03 01:46 442368 ----a-w- c:\windows\system32\nvudisp.exe

2009-07-26 19:30 . 2008-04-30 20:27 442368 ----a-w- c:\windows\system32\NVUNINST.EXE

2009-07-26 19:27 . 2004-10-05 19:54 306688 ----a-w- c:\windows\IsUninst.exe

2009-07-26 19:24 . 2003-08-04 19:56 45056 ----a-w- c:\windows\system32\vusetup.dll

2009-07-26 19:24 . 2003-08-04 18:29 11392 ----a-w- c:\windows\system32\drivers\vulfntr.sys

2009-07-26 19:24 . 2003-08-04 18:29 6912 ----a-w- c:\windows\system32\drivers\vulfnth.sys

2009-07-26 19:24 . 1998-11-13 16:18 308224 ----a-w- c:\windows\IsUn0416.exe

2009-07-26 19:22 . 2008-09-22 06:41 43520 ----a-w- c:\windows\system32\drivers\fetnd5bv.sys

2009-07-26 19:22 . 2006-10-27 11:26 69632 ----a-w- c:\windows\system32\vuins32.dll

2009-07-26 19:22 . 2003-07-17 19:10 7040 ----a-r- c:\windows\system32\ntsim.sys

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-12 10:34 . 2009-07-26 21:00 -------- d-----w- c:\arquivos de programas\Alwil Software

2009-08-08 21:43 . 2009-07-26 19:21 -------- d-----w- c:\arquivos de programas\Arquivos comuns\InstallShield

2009-08-02 15:17 . 2004-08-04 11:00 82770 ----a-w- c:\windows\system32\perfc016.dat

2009-08-02 15:17 . 2004-08-04 11:00 476876 ----a-w- c:\windows\system32\perfh016.dat

2009-07-28 23:47 . 2009-07-26 18:56 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-07-26 19:21 . 2009-07-26 19:21 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information

2009-07-26 19:21 . 2009-07-26 19:21 -------- d-----w- c:\arquivos de programas\Analog Devices

2009-07-26 18:57 . 2009-07-26 18:57 -------- d-----w- c:\arquivos de programas\microsoft frontpage

2009-07-26 18:55 . 2009-07-26 18:55 -------- d-----w- c:\arquivos de programas\Serviços on-line

2009-07-26 18:54 . 2009-07-26 18:54 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Serviços

2009-07-26 18:53 . 2009-07-26 18:53 21844 ----a-w- c:\windows\system32\emptyregdb.dat

2009-06-26 16:50 . 2004-08-04 11:00 668672 ----a-w- c:\windows\system32\wininet.dll

2009-06-26 16:50 . 2004-08-04 11:00 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-06-16 14:39 . 2004-08-04 11:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:39 . 2004-08-04 11:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-03 19:10 . 2004-08-04 11:00 1295872 ----a-w- c:\windows\system32\quartz.dll

2009-05-25 03:24 . 2008-05-27 01:18 350208 ------w- c:\windows\system32\mssph.dll

2009-05-24 20:34 . 2005-01-28 19:38 74112 ----a-w- c:\windows\system32\drivers\viamraid.sys

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]

"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre6\bin\jusched.exe" [2009-08-02 148888]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-03 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\arquivos de programas\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [26/7/2009 18:00 114768]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [26/7/2009 18:00 20560]

.

- - - - ORFÃOS REMOVIDOS - - - -

HKLM-Run-avast! - c:\arquiv~1\ALWILS~1\Avast4\ashDisp.exe

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.google.com.br/

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-19 22:46

Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Tempo para conclusão: 2009-08-20 22:47

ComboFix-quarantined-files.txt 2009-08-20 01:47

Pré-execução: 7 pasta(s) 44.208.988.160 bytes disponíveis

Pós execução: 6 pasta(s) 44.417.060.864 bytes disponíveis

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

209

******* FIM *********

HIJACKTHIS.log

******* INICIO *******

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:53:54, on 19/8/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Hijack\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896