[Resolvido!] fazendo uma limpa novamente

[vasudeva 0]

Olá,

 

Espero que todos estejam com muito sucesso, saúde e paz!

 

Vai o log:

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 02:45:00 PM, on 2009/09/24

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Arquivos de programas\HP\Digital Imaging\bin\hpqbam08.exe

C:\Arquivos de programas\HP\Digital Imaging\bin\hpqgpc01.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\All Users\Desktop\Downloads\HiJackThis(2).exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cineturbo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Arquivos de programas\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Arquivos de programas\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [soundMax] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [hpqSRMon] C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSRMon.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Seleção HP Smart - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Arquivos de programas\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Findbasic Service - Unknown owner - C:\Documents and Settings\All Users\Dados de aplicativos\Findbasic\findbasic121.exe (file missing)

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

 

--

End of file - 6804 bytes

[Power Max 54]

:thumbsup: Olá vasudeva!

 

O seu log não está mostrando nada de perigoso. Como está o seu PC atualmente?

[vasudeva 0]

:thumbsup: Olá vasudeva!

 

O seu log não está mostrando nada de perigoso. Como está o seu PC atualmente?

 

 

Rapaz, é mais o meu mozzila. Tenho problemas para comentar em blogs (aquelas letrinha de segurança não aparecem), visualizar o editor de texto dos meus blogs...

Tenho baixado muita coisa e navegando bastante, achei que podia estar com algo...

 

Tudo bem, que bom que não há nada de grave.

 

Obrigado mais uma vez, e muita paz e felicidade.

[Power Max 54]

Rapaz, é mais o meu mozzila. Tenho problemas para comentar em blogs (aquelas letrinha de segurança não aparecem), visualizar o editor de texto dos meus blogs...

:seta: Tudo indica que este problema não tem relação com virus ou malwares. Mas por segurança, faça uma atualização (update) do seu antivirus Avira Antivir. Clique com o botão direito do mouse sobre o símbolo do Avira (aquele guarda-chuva vermelho aberto ao lado do relógio do Windows) e escolha a opção Start Antivir > clique na opção Scan system now > e aguarde a conclusão do escaneamento.

______________________________________

 

:seta: Instale estes programas (os que você ainda não tiver) e use-os agora e semanalmente para fazer uma limpeza do seu PC e para deixá-lo mais eficiente e otimizado:

 

Ccleaner

 

MV RegClean

 

MV AntiSpy

 

Auslogics Disk Defrag

 

SpywareBlaster

 

Siga também as dicas deste tutorial:

 

Dicas para deixar seu computador mais rápido e eficiente

_____________________________________

 

:seta: Depois disto nos diga como está o seu PC. Ficamos na espera.

[vasudeva 0]

Olá,

 

1) Baixei todos os programas informados. O MV RegClean eu usei 3 vezes seguidas. A primeira eliminou mais de oitocentos arquivos então rodar mais duas vezes, sempre com resultados...agora que escrevo para você, ele acabou de limpar pela quarta vez (2 arquivos) e só por curiosidade dei início novamente....

 

2) O MVspy emitiu esse log: Yet Another Method Windows Uses to Log Your Computer Activity

by Helamonster ( mr_helamonster@yahoo.com )

http://www.geocities.com/TimesSquare/Maze/1125/

 

I was recently poking around my Windows registry, looking for a way to modify an explorer menu, when I happened upon a few suspicious keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

and

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

 

Both keys contained a huge number of REG_BINARY entries with some odd looking key names.

After looking through them for a while, I realized that the key names had been modified with the common ROT-13 string manipulation routine.

So I decoded a few of them to see what the hell all this data was for. What I found was quit interesting.

From here on, I will refer to the decoded key names as just the 'key names'.

 

All the key names begin with one of the following strings, which describe the rest of the key name text.

 

UEME_RUNPIDL: local files, titles of web pages

UEME_RUNPATH: executables

UEME_CTLSESSION (entire string) always the first key written; unknown purpose

UEME_CTLCUACount: unknown

UEME_UISCUT (entire string) clipboard cut ?

UEME_UIQCUT (entire string) clipboard cut ?

UEME_UIHOTKEY (entire string) hotkey pressed ?

UEME_RUNWMCMD: ?

UEME_RUNCPL: execution of control panel applets

UEME_UITOOLBAR: use of a tool bar button ?

 

The remainder of the key names ending in a colon (:) are the paths of file names, titles of web pages, or some other unknown data.

The binary values for all of the keys except the UEME_CTLSESSION key are 16 bytes long.

The UEME_CTLSESSION key's data is 8 bytes long.

I have not found out what that data represents, but I think it is probably a date/time value.

Some of the entries containing file paths use the following variables:

%csidl2% = start menu programs directory

%csidl6% = favorites directory

 

FYI: A PIDL is a Pointer to an ID List.

Every item in Explorer's namespace, whether it's a file, directory, Control Panel applet, or an object exposed by an extension, can be uniquely specified by its PIDL.

<http://www.codeproject.com/shell/namespcextguide1.asp#PIDLs>

 

Here are a few examples of what I found, in "key name"=hex:value format:

 

"UEME_RUNPIDL:2600 - The Hacker Quarterly Info"=hex:61,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00

"UEME_CTLCUACount:ctor"=hex:00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00

"UEME_RUNPIDL:saturn_rings_false.jpg"=hex:61,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00

"UEME_RUNPATH:D:\installs\drivers\nVidia Riva TNT (STB Velocity 4400)\28.32_winxp.exe"=hex:66,00,00,00,06,00,00,00,e0,0c,ff,e8,81,d1,c1,01

"UEME_RUNPIDL:C:\profiles\Helamonster\Recent\Aqua - Doctor Jones.mp3.lnk"=hex:66,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00

"UEME_RUNPIDL:IPN.doc"=hex:7c,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00

"UEME_RUNPATH:\\Helamonster\resource\meg102w2k.exe"=hex:99,00,00,00,06,00,00,00,40,b8,e5,a7,c1,f4,c1,01

"UEME_UITOOLBAR:0x1,122"=hex:b6,00,00,00,09,00,00,00,b0,c5,70,f3,2f,0a,c2,01

"UEME_RUNWMCMD:0x2,113"=hex:01,00,00,00,06,00,00,00,30,41,98,03,6e,8a,c1,01

 

I did not like this at all! At first, I thought I might have been infected by a trojan or something.

But I found that in fact, EXPLORER.EXE is the program that writes these keys.

I also did a little searching on the internet and found that a few people had the same keys, although they seemed to not know what they were (they didn't even notice the ROT-13).

The EXE had not been modified from the Windows 2000 Service Pack 2 verison I had archived, which means it was probably not infected.

I then checked my other computer, also running Windows 2000 SP2, and the same keys exist also with a bunch of entries (although fewer, because I use that computer less).

So at this point I am reasonably sure this activity is done soley by Microsoft.

 

My {5E6AB780-7743-11CF-A12B-00AA004AE837} key (5E key) contained less entries than my {75048700-EF1F-11D0-9888-006097DEACF9} key (75 key).

The 5E key had only .url files (files in Internet Explorer's favorites menu) along with other things like UEME_UIHOTKEY, UEME_RUNWMCMD, UEME_UITOOLBAR, and others.

It had no other local files and no titles of web pages.

The 75 key had much more, including local files, titles of web pages, .url files in favorites, and a few others including UEME_RUNWMCMD.

 

Both keys had entries for files and URLs that I haven't accessed for years.

And it appears that there are entries for things I accessed only when I first installed Windows (like drivers).

This could mean that Windows logs this information and never deletes the log data.

This bloats the registry, which fragments it, which slows Windows down.

It took regedit 10 seconds to load and display all the keys in my 75 key (with a 1200mhz).

The 75 key had 18,497 entries!

The 5E key had 394 entries.

 

So then, I exported the keys to a text file for later inspection and deleted the keys from my registry.

As soon as I double-clicked "My Computer," the keys were re-written (although the only entry at this point was UEME_CTLSESSION).

I continued to access files and browse the web (with IE), and of course, the 75 key continued to gain entries.

 

After searching the internet, I found the following article (in German):

http://www.windows2000helpline.de/forum/showthread.php?threadid=29066

Which was copied here:

http://pub15.ezboard.com/fsecurityboardsfrm6.showMessage?topicID=628.topic

Which refers to a Microsoft article:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q239062

I don't speak German, but I was able to determine that this guy noticed these registry keys before I did.

He also found out that you can apparently add a registry key under:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\Settings

as:

NoEncrypt = 1 (DWORD)

to make Windows not 'encrypt' the text of the registry key names.

Of course, this does not 'decrypt' the current entries.

 

 

What to do? I just delete those dumb keys at every logon/logoff or manually by executing a script.

I added those registry keys to my list that I regularly delete with a little win32 batch script I put together.

I have text files called keys.kil, files.kil, dirs.kil that contain registry keys, filenames, or directory names (respectively) that I want to delete, all seperated by newlines.

A file named 'yes' is created by the script that contains the character y and a newline (for answering yes to prompts).

The 'C:\WINNT\system32\GroupPolicy\User\Scripts\cleanup.cmd' file contains the following:

 

-------------------------------------

 

@echo off

c:

cd "C:\WINNT\system32\GroupPolicy\User\Scripts"

 

echo:

echo:

 

echo y >yes

echo: >>yes

 

echo Attempting to delete stupid directories and subdirectories...

echo:

 

for /f "delims=?" %%i in (dirs.kil) do (

echo "%%i"...

deltree /y "%%i" <yes

)

echo:

echo:

 

echo Attempting to delete stupid registry entries and keys...

echo:

 

for /f "delims=?" %%i in (keys.kil) do (

echo "%%i"...

reg delete "%%i" /f <yes

)

 

echo:

echo:

 

echo Attempting to delete stupid files...

echo:

 

for /f "delims=?" %%i in (files.kil) do (

echo "%%i"...

if exist "%%i" attrib -s -h -r "%%i"

if exist "%%i" del "%%i"

 

)

 

-------------------------------------

 

Here is my complete list of registry keys I wipe out:

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ContainingTextMRU

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

HKCU\Software\Microsoft\Internet Explorer\TypedURLs

HKCU\Software\Microsoft\Internet Explorer\IntelliForms\SPW

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

 

And here are a few directories you will probably want to wipe out (you might need to change the variables):

%USERPROFILE%\Cookies

%USERPROFILE%\History

%USERPROFILE%\Recent

%USERPROFILE%\Local Settings\Temporary Internet Files

%USERPROFILE%\Local Settings\History

%USERPROFILE%\UserData

%USERPROFILE%\Application Data\Microsoft\Office\Recent

%USERPROFILE%\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data

%SystemDrive%\recycled

%SystemDrive%\RECYCLER

%windir%\temp

%temp%

 

You may need to modify this to meet your specific needs.

Note that you will need deltree.exe and reg.exe, which do not come standard with Windows NT / 2000.

REG.EXE comes in Microsoft Windows NT Server 4.0 Resource Kit.

You can get an updated version of it here:

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/reskit/nt40/i386/reg_x86.exe

DELTREE.EXE comes with MS-DOS and Windows 95/98/ME, which I'm sure you already have.

Visit http://www3.sympatico.ca/rhwatson/dos7/z-deltree.html to find out which CAB file it is in for your version of Windows.

 

Of course, this does not solve the problem. It merely fixes the symptoms.

Microsoft's products are known for archiving large amounts of personal data for no apparent reason.

This includes internet addresses visited, local files accessed, email addresses, and so on.

But I've personally never found such a large database of this type information before now.

Storing info about internet history and recent documents makes sense, because all of this information is used to help the user access recently used information.

But I see absolutely no reason for this huge registry database of information.

That's Microsoft for you.

 

 

3)Estou desfragmentando agora pelo sistema...O link do Auslogics Disk Defrag não tá rolando. Estou desfragmentando pelo sistema mesmo...tem alguma diferença?

 

4) CCleanner eu já tinha e sempre faço uso...

 

5)O Spyware Blaster eu já tinha no sistema se não falha a memória, mesmo assim baixei e intalei...

 

Abraços!

[Power Max 54]

3)Estou desfragmentando agora pelo sistema...O link do Auslogics Disk Defrag não tá rolando. Estou desfragmentando pelo sistema mesmo...tem alguma diferença?

:seta: Pode desfragmentar pelo sistema mesmo, é muito bom também. E depois disto nos diga, por gentileza, como está o seu PC e se os problemas foram resolvidos.

 

Ficamos na espera.

[vasudeva 0]

Antonio,

 

PC está melhor. Muito obrigado, e acho que pode fechar o tópico.

 

Paz e Saúde.

[Power Max 54]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.