[Resolvido!] Generic Host Process e explorer.exe

[Lovely_Girl 0]

Olá, estou com o seguinte problema:

após alguns minutos de uso da internet, aparecem as seguintes mensagens:

"O Generic Host Process for Win32 Services encontrou um problema e precisa ser fechado." e "O explorer.exe encontrou um problema e precisa ser fechado."

Ambas msg perguntam se quero informar à Micro$oft. Se eu clico em 'Não enviar', a conexão cai, tudo trava e preciso reiniciar o pc.

 

Já dei uma olhada pelo Google, todas possiveis soluções e atualizações que encontrei eram antigas e para SP2 (não testei nenhuma dela, e meu pc está com XP Professional e Service Pack 3). Neste fórum vi um problema semelhante (e segundo as recomendações, abri este novo tópico).

 

(Voltando um pouco no tempo: instalei o UTorrent dias atrás, e dos downloads veio o quê? virus, pra variar. Resolvi isso com o Avira Antivir, que desde então sempre acusa de repente alguns virus com o Alerta pra clicar e remover na hora. Pode ter relação com o problema atual? (eu acho que sim))

 

Alguem poderia me ajudar?

 

Obrigada ^_^

 

Apareceram as msgs de novo, eu não fechei, não fiz nada, foi só assim pra conseguir ficar na net.

Mas agora apareceu um alerta de segurança do Windows que diz q o firewall bloqueou o Windows Explorer :o Aff :huh:

[Mário Monteiro 179]

Post um log conforme regra 2

 

http://forum.imasters.com.br/index.php?showtopic=165906

[Lovely_Girl 0]

Ok, obrigada Mário Monteiro!

Não fiz isso ontem pq estava mto dificil trabalhar com aquele monte de janelinha atrapalhando, por mais q eu tenha arrastado elas p/ o cantinho, huaheiahuaha :X Hoje, por enquanto tem só uma...

 

Aqui está o log:

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:15:02, on 26/4/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avshadow.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Arquivos de programas\CyberLink\Shared files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\sm56hlpr.exe

C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe

C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\dwwin.exe

C:\WINDOWS\explorer.exe

C:\Hijack\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {153B3FD3-9873-4292-B298-4B45BBB82ECc} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: (no name) - {874E8B23-2476-49BA-8038-209EEE347A30} - c:\windows\system32\kizbmey.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Arquivos de programas\Epson Software\Easy Photo Print\EPTBL.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Arquivos de programas\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Arquivos de programas\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Arquivos de programas\Google\Google Toolbar\GoogleToolbar_32.dll

O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Arquivos de programas\Epson Software\Easy Photo Print\EPTBL.dll

O4 - HKLM\..\Run: [sMSERIAL] sm56hlpr.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Minas Compy\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: NCProTray.lnk = ?

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{8D4148A8-34C0-4B2D-B8EB-5FCC7DC483E0}: NameServer = 200.165.132.148 200.165.132.155

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared files\RichVideo.exe

 

--

End of file - 8743 bytes

[wings 22]

Boa tarde Lovely_Girl...

 

 

1.

*Baixe o MalwareBytes Anti-malware e salve-o no desktop

*Instale o programa

*Se alguma atualização existir,o download será automático. Aguarde...

*O programa será aberto automaticamente.

*Na aba [Verificação], selecione a opção [Verificação completa]

*Clique em [Verificar] e selecione as unidades a serem examinadas

*Ao término do scan, poderá ser interrogado se deseja remover objetos da memória. Clique [sIM] > [OK] > [Mostrar Resultados]

*Clique em [Remover Selecionados]

*Um relatório (mbam-log-ano-mês-data.txt) será apresentado.

*Cole-o na sua próxima resposta

[Lovely_Girl 0]

Olá wings, obrigada pela ajuda.

 

Eis o log do MalwareBytes:

 

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

 

Versão da Base de Dados: 4041

 

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

 

27/4/2010 11:26:58

mbam-log-2010-04-27 (11-26-58).txt

 

Tipo de Verificação: Verificação Completa (C:\|D:\|)

Objetos escaneados: 156842

Tempo decorrido: 3 hora(s), 16 minuto(s), 20 segundo(s)

 

Processos de Memória Infectados: 0

Módulos de Memória Infectados: 0

Chaves de Registro Infectadas: 2

Valores de Registro Infectados: 0

Itens de Dados no Registro Infectados: 0

Pastas Infectadas: 0

Arquivos Infectados: 10

 

Processos de Memória Infectados:

(Não foram detectados ítens maliciosos)

 

Módulos de Memória Infectados:

(Não foram detectados ítens maliciosos)

 

Chaves de Registro Infectadas:

HKEY_CLASSES_ROOT\.fsharproj (Trojan.Tracur) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

 

Valores de Registro Infectados:

(Não foram detectados ítens maliciosos)

 

Itens de Dados no Registro Infectados:

(Não foram detectados ítens maliciosos)

 

Pastas Infectadas:

(Não foram detectados ítens maliciosos)

 

Arquivos Infectados:

C:\Documents and Settings\Minas Compy\Configurações locais\Temp\SystemPropertiesPerformanceb.exe (Virus.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Minas Compy\Configurações locais\Temp\EULA.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\Minas Compy\Configurações locais\Temp\findb.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\cdfaoe.sys (Rootkit.Agent) -> Delete on reboot.

C:\Documents and Settings\Minas Compy\Configurações locais\Temp\sshnas21.dll (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Arquivos de programas\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Minas Compy\Dados de aplicativos\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\config\systemprofile\Dados de aplicativos\fvgqad.dat (Malware.Trace) -> Quarantined and deleted successfully.

[wings 22]

*Desative temporariamente seu antivírus

 

Clique com o botão direito do mouse no ícone do Avira ao lado do relógio > clique na opção "AntiVir Guard enable".

*Baixe o ComboFix e salve-o no desktop

*Execute o Combofix e aceite o contrato

 

*Se o console de recuperação do Windows já estiver instalado, o ComboFix continuará o processo automaticamente. Caso contrário, clique em [sIM] para a sua instalação.

 

 

*Clique em [sIM] para continuar.

 

 

*Aguarde a conclusão de todas as etapas

 

 

*Enquanto o ComboFix estiver em execução, evite usar o mouse e o teclado!!..... Para interromper o procedimento tecle N ou 2 e depois ENTER.

 

*O programa será fechado automaticamente

 

*Cole o relatório criado em C:\combofix.txt

[Lovely_Girl 0]

Desta vez foi dificil: o combofix só funcionou na 3ª tentativa (não se é o caso de contar mais detalhadamente, mas creio q não =P )

E desta 3ª em diante ainda não apareceram as msgs (mas tb né, faz nem meia hora rss, as vezes elas tem demorado mesmo pra vir 'atazanar' rs).

Mais uma vez obrigada wings e aqui está o log:

 

ComboFix 10-04-26.05 - Minas Compy 28/04/2010 3:02.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.1015.676 [GMT -3:00]

Executando de: c:\documents and settings\Minas Compy\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\NCProTray.lnk

c:\windows\system32\drivers\cvtjqrvq.sys

c:\windows\system32\drivers\whxqdtxc.sys

c:\windows\system32\effjllo.dll

c:\windows\system32\fjhdyfhsn.bat

c:\windows\system32\kizbmey.dll

c:\windows\system32\nnfjvtzf.dll

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_GOJIIWYT

-------\Legacy_WHXQDTXC

-------\Service_gojiiwyt

-------\Service_whxqdtxc

 

 

(((((((((((((((( Arquivos/Ficheiros criados de 2010-03-28 to 2010-04-28 ))))))))))))))))))))))))))))

.

 

2010-04-27 07:44 . 2010-04-27 07:44 -------- d-----w- c:\documents and settings\Minas Compy\Dados de aplicativos\Malwarebytes

2010-04-27 07:42 . 2010-03-30 03:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-27 07:42 . 2010-04-27 07:42 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes

2010-04-27 07:42 . 2010-04-27 07:43 -------- d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware

2010-04-27 07:42 . 2010-03-30 03:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-26 15:13 . 2010-04-27 06:22 -------- d-----w- C:\Hijack

2010-04-25 01:56 . 2010-04-28 03:54 -------- d-----w- c:\windows\system32\NtmsData

2010-04-25 01:36 . 2010-04-25 01:36 -------- d-----r- c:\documents and settings\NetworkService\Favoritos

2010-04-25 01:28 . 2010-04-25 01:28 -------- d-----w- c:\documents and settings\Minas Compy\Dados de aplicativos\Avira

2010-04-25 00:37 . 2010-03-01 12:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-04-25 00:37 . 2009-05-11 14:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-04-25 00:37 . 2009-05-11 14:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-04-25 00:37 . 2010-04-25 00:37 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Avira

2010-04-25 00:37 . 2010-04-25 00:37 -------- d-----w- c:\arquivos de programas\Avira

2010-04-24 22:28 . 2010-04-24 22:28 -------- d-----w- c:\windows\system32\wbem\Repository

2010-04-23 05:56 . 2010-04-23 05:56 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Macrovision Shared

2010-04-23 05:55 . 2010-04-24 22:27 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Rosetta Stone

2010-04-03 05:06 . 2010-04-03 05:06 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Soulseek

2010-03-31 04:47 . 2010-03-31 04:47 503808 ----a-w- c:\documents and settings\Minas Compy\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e577b91-n\msvcp71.dll

2010-03-31 04:47 . 2010-03-31 04:47 499712 ----a-w- c:\documents and settings\Minas Compy\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e577b91-n\jmc.dll

2010-03-31 04:47 . 2010-03-31 04:47 348160 ----a-w- c:\documents and settings\Minas Compy\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e577b91-n\msvcr71.dll

2010-03-31 04:47 . 2010-03-31 04:47 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Java

2010-03-31 04:46 . 2010-03-31 04:46 12800 ----a-w- c:\documents and settings\Minas Compy\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3f26f7e1-n\decora-d3d.dll

2010-03-31 04:46 . 2010-03-31 04:46 61440 ----a-w- c:\documents and settings\Minas Compy\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3f26f7e1-n\decora-sse.dll

2010-03-31 04:42 . 2010-03-31 04:42 -------- d-----w- c:\arquivos de programas\Java

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-28 06:16 . 2010-01-16 07:25 802304 ----a-w- c:\windows\system32\drivers\cdfaoe.sys

2010-04-27 17:05 . 2009-10-25 02:03 1 ----a-w- c:\documents and settings\Minas Compy\Dados de aplicativos\BrOffice.org\3\user\uno_packages\cache\stamp.sys

2010-04-24 23:09 . 2008-04-13 21:55 53504 ----a-w- c:\windows\system32\drivers\i8042prt.sys

2010-04-24 05:34 . 2009-10-17 19:37 -------- d-----w- c:\arquivos de programas\Zpoc Brasil

2010-04-14 20:08 . 2009-10-16 17:50 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help

2010-04-02 03:24 . 2009-11-16 17:29 -------- d-----w- c:\arquivos de programas\No-IP

2010-03-31 04:42 . 2009-10-16 18:46 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-22 01:54 . 2010-03-22 01:53 -------- d-----w- c:\arquivos de programas\Arquivos comuns\DVDVideoSoft

2010-03-18 19:18 . 2009-10-16 18:56 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Adobe

2010-03-10 06:16 . 2008-04-13 22:20 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-25 06:17 . 2008-04-13 22:20 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11 . 2008-04-13 15:17 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-21 16:49 . 2001-10-28 18:07 79980 ----a-w- c:\windows\system32\perfc016.dat

2010-02-21 16:49 . 2001-10-28 18:07 471022 ----a-w- c:\windows\system32\perfh016.dat

2010-02-17 17:07 . 2008-04-13 22:01 2194176 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 19:07 . 2008-04-13 19:00 2071040 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-16 16:24 . 2009-10-16 18:49 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-02-12 04:34 . 2008-04-13 22:20 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2008-04-13 15:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

2010-01-28 12:05 . 2010-02-27 19:36 69632 ----a-w- c:\windows\system32\MSJCE.dll

2009-12-18 01:10 . 2009-12-18 01:08 2623272 ----a-w- c:\arquivos de programas\TeamViewer_Setup.exe

2009-10-25 01:27 . 2009-10-24 23:50 133992032 ----a-w- c:\arquivos de programas\BrOOo_3.1.1_Win32Intel_install_pt-BR.exe

2009-08-20 15:06 . 2009-08-20 15:06 126704693 ----a-w- c:\arquivos de programas\brofficeorg1.cab

2009-08-20 15:04 . 2009-08-20 15:04 9812992 ----a-w- c:\arquivos de programas\brofficeorg31.msi

2009-08-19 08:39 . 2009-08-19 08:39 330 ----a-w- c:\arquivos de programas\setup.ini

2008-06-15 17:34 . 2009-10-16 21:18 4780368 ----a-w- c:\arquivos de programas\MsgPlusLive-460.exe

2006-12-13 13:29 . 2009-10-18 01:02 5697208 ----a-w- c:\arquivos de programas\gtk+-2.10.6-1-setup.exe

2006-11-09 21:26 . 2009-10-16 21:18 1580560 ----a-w- c:\arquivos de programas\googletalk-setup-pt-BR.exe

2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\arquivos de programas\instmsiw.exe

2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\arquivos de programas\instmsia.exe

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-16 39408]

"Google Update"="c:\documents and settings\Minas Compy\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" [2010-02-20 135664]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SMSERIAL"="sm56hlpr.exe" [2004-06-14 569344]

"GrooveMonitor"="c:\arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"VTPreset"="VTPreset.exe" [2004-02-24 45056]

"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"SunJavaUpdateSched"="c:\arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe" [2010-02-18 248040]

"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]

2007-01-01 22:54 3735552 ----a-w- c:\arquivos de programas\Google\Google Talk\googletalk.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]

2006-04-13 14:09 49152 ----a-w- c:\arquivos de programas\CyberLink\PowerDVD\Language\Language.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

2005-12-08 01:57 30208 ------w- c:\arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Arquivos de programas\\Zpoc Brasil\\ZPoC.exe"=

"c:\\Arquivos de programas\\Google\\Google Talk\\googletalk.exe"=

"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Documents and Settings\\Minas Compy\\temp\\TeamViewer\\Version5\\TeamViewer.exe"=

"c:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"12283:TCP"= 12283:TCP:@xpsp2res.dll,-22009

"24791:TCP"= 24791:TCP:@xpsp2res.dll,-22009

"36574:TCP"= 36574:TCP:@xpsp2res.dll,-22009

"12255:TCP"= 12255:TCP:@xpsp2res.dll,-22009

"18680:TCP"= 18680:TCP:@xpsp2res.dll,-22009

"44417:TCP"= 44417:TCP:@xpsp2res.dll,-22009

"38863:TCP"= 38863:TCP:@xpsp2res.dll,-22009

"14798:TCP"= 14798:TCP:@xpsp2res.dll,-22009

"31709:TCP"= 31709:TCP:@xpsp2res.dll,-22009

"14752:TCP"= 14752:TCP:@xpsp2res.dll,-22009

"10194:TCP"= 10194:TCP:@xpsp2res.dll,-22009

 

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [24/4/2010 21:37 135336]

 

--- =Outros Serviços/Drivers Na Memória ---

 

*NewlyCreated* - WHXQDTXC

*Deregistered* - cdfaoe

*Deregistered* - whxqdtxc

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2010-04-28 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-10-18 00:18]

.

.

------- Scan Suplementar -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = iexplore

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~4\Office12\EXCEL.EXE/3000

TCP: {8D4148A8-34C0-4B2D-B8EB-5FCC7DC483E0} = 200.165.132.148 200.165.132.155

FF - ProfilePath - c:\documents and settings\Minas Compy\Dados de aplicativos\Mozilla\Firefox\Profiles\qrlxh0b2.default\

FF - plugin: c:\arquivos de programas\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

FF - plugin: c:\arquivos de programas\Windows Live\Photo Gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

 

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

- - - - ORFÃOS REMOVIDOS - - - -

 

BHO-{153B3FD3-9873-4292-B298-4B45BBB82ECc} - (no file)

ShellIconOverlayIdentifiers-{874E8B23-2476-49BA-8038-209EEE347A30} - (no file)

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-28 03:13

Windows 5.1.2600 Service Pack 3 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cdfaoe]

 

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'explorer.exe'(2680)

c:\windows\system32\WININET.dll

c:\arquiv~1\WINDOW~2\wmpband.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquivos de programas\Avira\AntiVir Desktop\avguard.exe

c:\arquivos de programas\Java\jre6\bin\jqs.exe

c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\mdm.exe

c:\arquivos de programas\Avira\AntiVir Desktop\avshadow.exe

c:\arquivos de programas\CyberLink\Shared files\RichVideo.exe

c:\windows\sm56hlpr.exe

.

**************************************************************************

.

Tempo para conclusão: 2010-04-28 03:18:27 - Máquina reiniciou

ComboFix-quarantined-files.txt 2010-04-28 06:18

 

Pré-execução: 10 pasta(s) 142.796.050.432 bytes disponíveis

Pós execução: 13 pasta(s) 144.233.816.064 bytes disponíveis

 

- - End Of File - - 54E49EF34FCEEE274D05AB281069C34D

[wings 22]

1.

*Delete o arquivo C:\combofix.txt e a pasta C:\Qoobox

 

2.

*Abra o bloco de notas, selecione, copie e cole nele todo o conteúdo do código abaixo:

 

Rootkit::

c:\windows\system32\drivers\cdfaoe.sys

Registry::

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cdfaoe]

Driver::

whxqdtxc

cdfaoe

*Salve o arquivo no desktop como CFScript.txt

*Arraste o arquivo para o Combofix conforme ilustração abaixo:

 

 

*Importante: enquanto o combofix estiver em execução, evite usar o mouse nem o teclado!!..para interromper o processo tecle N ou 2.

*Cole o relatório criado em C:\combofix.txt

[Lovely_Girl 0]

ComboFix 10-04-26.05 - Minas Compy 28/04/2010 16:41:29.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.1015.724 [GMT -3:00]

Executando de: c:\documents and settings\Minas Compy\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\Minas Compy\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

 

(((((((((((((((( Arquivos/Ficheiros criados de 2010-03-28 to 2010-04-28 ))))))))))))))))))))))))))))

.

 

2010-04-27 07:44 . 2010-04-27 07:44 -------- d-----w- c:\documents and settings\Minas Compy\Dados de aplicativos\Malwarebytes

2010-04-27 07:42 . 2010-03-30 03:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-27 07:42 . 2010-04-27 07:42 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes

2010-04-27 07:42 . 2010-04-27 07:43 -------- d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware

2010-04-27 07:42 . 2010-03-30 03:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-26 15:13 . 2010-04-27 06:22 -------- d-----w- C:\Hijack

2010-04-25 01:56 . 2010-04-28 03:54 -------- d-----w- c:\windows\system32\NtmsData

2010-04-25 01:36 . 2010-04-25 01:36 -------- d-----r- c:\documents and settings\NetworkService\Favoritos

2010-04-25 01:28 . 2010-04-25 01:28 -------- d-----w- c:\documents and settings\Minas Compy\Dados de aplicativos\Avira

2010-04-25 00:37 . 2010-03-01 12:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-04-25 00:37 . 2009-05-11 14:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-04-25 00:37 . 2009-05-11 14:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-04-25 00:37 . 2010-04-25 00:37 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Avira

2010-04-25 00:37 . 2010-04-25 00:37 -------- d-----w- c:\arquivos de programas\Avira

2010-04-24 22:28 . 2010-04-24 22:28 -------- d-----w- c:\windows\system32\wbem\Repository

2010-04-23 05:56 . 2010-04-23 05:56 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Macrovision Shared

2010-04-23 05:55 . 2010-04-24 22:27 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Rosetta Stone

2010-04-03 05:06 . 2010-04-03 05:06 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Soulseek

2010-03-31 04:47 . 2010-03-31 04:47 503808 ----a-w- c:\documents and settings\Minas Compy\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e577b91-n\msvcp71.dll

2010-03-31 04:47 . 2010-03-31 04:47 499712 ----a-w- c:\documents and settings\Minas Compy\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e577b91-n\jmc.dll

2010-03-31 04:47 . 2010-03-31 04:47 348160 ----a-w- c:\documents and settings\Minas Compy\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e577b91-n\msvcr71.dll

2010-03-31 04:47 . 2010-03-31 04:47 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Java

2010-03-31 04:46 . 2010-03-31 04:46 12800 ----a-w- c:\documents and settings\Minas Compy\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3f26f7e1-n\decora-d3d.dll

2010-03-31 04:46 . 2010-03-31 04:46 61440 ----a-w- c:\documents and settings\Minas Compy\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3f26f7e1-n\decora-sse.dll

2010-03-31 04:42 . 2010-03-31 04:42 -------- d-----w- c:\arquivos de programas\Java

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-28 17:51 . 2009-10-25 02:03 1 ----a-w- c:\documents and settings\Minas Compy\Dados de aplicativos\BrOffice.org\3\user\uno_packages\cache\stamp.sys

2010-04-24 23:09 . 2008-04-13 21:55 53504 ----a-w- c:\windows\system32\drivers\i8042prt.sys

2010-04-24 05:34 . 2009-10-17 19:37 -------- d-----w- c:\arquivos de programas\Zpoc Brasil

2010-04-14 20:08 . 2009-10-16 17:50 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help

2010-04-02 03:24 . 2009-11-16 17:29 -------- d-----w- c:\arquivos de programas\No-IP

2010-03-31 04:42 . 2009-10-16 18:46 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-22 01:54 . 2010-03-22 01:53 -------- d-----w- c:\arquivos de programas\Arquivos comuns\DVDVideoSoft

2010-03-18 19:18 . 2009-10-16 18:56 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Adobe

2010-03-10 06:16 . 2008-04-13 22:20 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-25 06:17 . 2008-04-13 22:20 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11 . 2008-04-13 15:17 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-21 16:49 . 2001-10-28 18:07 79980 ----a-w- c:\windows\system32\perfc016.dat

2010-02-21 16:49 . 2001-10-28 18:07 471022 ----a-w- c:\windows\system32\perfh016.dat

2010-02-17 17:07 . 2008-04-13 22:01 2194176 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 19:07 . 2008-04-13 19:00 2071040 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-16 16:24 . 2009-10-16 18:49 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-02-12 04:34 . 2008-04-13 22:20 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2008-04-13 15:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

2009-12-18 01:10 . 2009-12-18 01:08 2623272 ----a-w- c:\arquivos de programas\TeamViewer_Setup.exe

2009-10-25 01:27 . 2009-10-24 23:50 133992032 ----a-w- c:\arquivos de programas\BrOOo_3.1.1_Win32Intel_install_pt-BR.exe

2009-08-20 15:06 . 2009-08-20 15:06 126704693 ----a-w- c:\arquivos de programas\brofficeorg1.cab

2009-08-20 15:04 . 2009-08-20 15:04 9812992 ----a-w- c:\arquivos de programas\brofficeorg31.msi

2009-08-19 08:39 . 2009-08-19 08:39 330 ----a-w- c:\arquivos de programas\setup.ini

2008-06-15 17:34 . 2009-10-16 21:18 4780368 ----a-w- c:\arquivos de programas\MsgPlusLive-460.exe

2006-12-13 13:29 . 2009-10-18 01:02 5697208 ----a-w- c:\arquivos de programas\gtk+-2.10.6-1-setup.exe

2006-11-09 21:26 . 2009-10-16 21:18 1580560 ----a-w- c:\arquivos de programas\googletalk-setup-pt-BR.exe

2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\arquivos de programas\instmsiw.exe

2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\arquivos de programas\instmsia.exe

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-16 39408]

"Google Update"="c:\documents and settings\Minas Compy\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" [2010-02-20 135664]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SMSERIAL"="sm56hlpr.exe" [2004-06-14 569344]

"GrooveMonitor"="c:\arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"VTPreset"="VTPreset.exe" [2004-02-24 45056]

"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"SunJavaUpdateSched"="c:\arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe" [2010-02-18 248040]

"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]

2007-01-01 22:54 3735552 ----a-w- c:\arquivos de programas\Google\Google Talk\googletalk.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]

2006-04-13 14:09 49152 ----a-w- c:\arquivos de programas\CyberLink\PowerDVD\Language\Language.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

2005-12-08 01:57 30208 ------w- c:\arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Arquivos de programas\\Zpoc Brasil\\ZPoC.exe"=

"c:\\Arquivos de programas\\Google\\Google Talk\\googletalk.exe"=

"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Documents and Settings\\Minas Compy\\temp\\TeamViewer\\Version5\\TeamViewer.exe"=

"c:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"12283:TCP"= 12283:TCP:@xpsp2res.dll,-22009

"24791:TCP"= 24791:TCP:@xpsp2res.dll,-22009

"36574:TCP"= 36574:TCP:@xpsp2res.dll,-22009

"12255:TCP"= 12255:TCP:@xpsp2res.dll,-22009

"18680:TCP"= 18680:TCP:@xpsp2res.dll,-22009

"44417:TCP"= 44417:TCP:@xpsp2res.dll,-22009

"38863:TCP"= 38863:TCP:@xpsp2res.dll,-22009

"14798:TCP"= 14798:TCP:@xpsp2res.dll,-22009

"31709:TCP"= 31709:TCP:@xpsp2res.dll,-22009

"14752:TCP"= 14752:TCP:@xpsp2res.dll,-22009

"10194:TCP"= 10194:TCP:@xpsp2res.dll,-22009

 

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [24/4/2010 21:37 135336]

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2010-04-28 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-10-18 00:18]

.

.

------- Scan Suplementar -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = iexplore

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~4\Office12\EXCEL.EXE/3000

TCP: {8D4148A8-34C0-4B2D-B8EB-5FCC7DC483E0} = 200.165.132.148 200.165.132.155

FF - ProfilePath - c:\documents and settings\Minas Compy\Dados de aplicativos\Mozilla\Firefox\Profiles\qrlxh0b2.default\

FF - plugin: c:\arquivos de programas\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

FF - plugin: c:\arquivos de programas\Windows Live\Photo Gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

 

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-28 16:59

Windows 5.1.2600 Service Pack 3 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'explorer.exe'(2728)

c:\windows\system32\WININET.dll

c:\arquiv~1\WINDOW~2\wmpband.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquivos de programas\Avira\AntiVir Desktop\avguard.exe

c:\arquivos de programas\Java\jre6\bin\jqs.exe

c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\mdm.exe

c:\arquivos de programas\CyberLink\Shared files\RichVideo.exe

c:\arquivos de programas\Avira\AntiVir Desktop\avshadow.exe

c:\windows\sm56hlpr.exe

.

**************************************************************************

.

Tempo para conclusão: 2010-04-28 17:04:56 - Máquina reiniciou

ComboFix-quarantined-files.txt 2010-04-28 20:04

 

Pré-execução: 12 pasta(s) 144.209.317.888 bytes disponíveis

Pós execução: 13 pasta(s) 144.177.102.848 bytes disponíveis

 

- - End Of File - - D1DF387CD107FDA80B10B7D3F5DC8DC9

[wings 22]

OK....o PC está limpo.

 

 

1.

*Clique em [iniciar] > [Executar] > digite: Combofix /uninstall

*Clique [OK]

 

 

*Clique em [Executar]

*Aguarde até surgir a mensagem: "ComboFix está desinstalado"

*Clique [OK]

 

 

Informe se resolveu.

 

 

Um abraço.

[wings 22]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.