[Resolvido!] Análise de Log

[Fábio Mesquita 0]

Bom dia pessoal,

 

Por favor analisem o log abaixo:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:19:51, on 30/6/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Arquivos de programas\Symantec\pcAnywhere\awhost32.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\PDF Complete\pdfsvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Arquivos de programas\Arquivos comuns\Nokia\MPlatform\NokiaMServer.exe

C:\Arquivos de programas\iTunes\iTunesHelper.exe

C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe

C:\Arquivos de programas\Microsoft ActiveSync\wcescomm.exe

C:\Arquivos de programas\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe

C:\ARQUIV~1\MI3AA1~1\rapimgr.exe

C:\Documents and Settings\wanderley\Configurações locais\Dados de aplicativos\Google\Update\1.2.183.29\GoogleCrashHandler.exe

C:\Arquivos de programas\UltraVNC\winvnc.exe

C:\Arquivos de programas\Windows Desktop Search\WindowsSearch.exe

C:\WINDOWS\system32\javaw.exe

C:\Arquivos de programas\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Arquivos de programas\Arquivos comuns\Nokia\NoA\nokiaaserver.exe

C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe

C:\Arquivos de programas\PC Connectivity Solution\Transports\NclMSBTSrv.exe

C:\Arquivos de programas\PC Connectivity Solution\Transports\NclUSBSrv.exe

C:\Arquivos de programas\PC Connectivity Solution\Transports\NclRSSrv.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\WINDOWS\system32\SearchFilterHost.exe

C:\Documents and Settings\wanderley\Desktop\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\athaserver\workforce

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:\\athaserver\workforce

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:4480

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

F2 - REG:system.ini: Shell=Explorer.exe

O1 - Hosts: 200.201.166.200 caixa.com.br

O1 - Hosts: 200.201.166.200 www.caixa.com.br

O1 - Hosts: 200.201.166.200 caixa.gov.br

O1 - Hosts: 200.201.166.200 www.caixa.gov.br

O1 - Hosts: 200.201.166.200 cef.com.br

O1 - Hosts: 200.201.166.200 www.cef.com.br

O1 - Hosts: 200.201.166.200 cef.gov.br

O1 - Hosts: 200.201.166.200 www.cef.gov.br

O1 - Hosts: 200.201.166.200 caixaeconomicafederal.com.br

O1 - Hosts: 200.201.166.200 www.caixaeconomica.com.br

O1 - Hosts: 200.201.166.200 www.caixaeconomicafederal.com.br

O1 - Hosts: 200.211.224.71 credicardciti.com.br

O1 - Hosts: 200.211.224.71 www.credicardciti.com.br

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: (no name) - {47D16415-6DDB-444A-811A-AE0A5F03BC2D}811A-AE0A5F03BC2D} - (no file)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Arquivos de programas\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NokiaMServer] C:\Arquivos de programas\Arquivos comuns\Nokia\MPlatform\NokiaMServer /watchfiles startup

O4 - HKLM\..\Run: [NokiaMusic FastStart] "C:\Arquivos de programas\Nokia\Ovi Player\NokiaOviPlayer.exe" /command:faststart

O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Arquivos de programas\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\wanderley\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [NokiaOviSuite2] C:\Arquivos de programas\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe -tray

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')

O4 - Startup: Workforce.lnk = C:\WINDOWS\system32\javaw.exe

O4 - Global Startup: UltraVNC Server.lnk = C:\Arquivos de programas\UltraVNC\winvnc.exe

O4 - Global Startup: Windows Search.lnk = C:\Arquivos de programas\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Estatísticas do Antivírus da Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\SCIEPlgn.dll

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ARQUIV~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARQUIV~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Criar Favorito Móvel... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARQUIV~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233596085812

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233596018119

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intranet.athalaia.com.br

O17 - HKLM\Software\..\Telephony: DomainName = intranet.athalaia.com.br

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intranet.athalaia.com.br

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = intranet.athalaia.com.br

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = intranet.athalaia.com.br

O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = intranet.athalaia.com.br

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveSystemServices.dll

O20 - AppInit_DLLs: C:\ARQUIV~1\KASPER~1\KASPER~1.0FO\adialhk.dll

O20 - Winlogon Notify: GbPluginBb - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll

O23 - Service: Dispositivo Celular da Apple (Apple Mobile Device) - Apple Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe

O23 - Service: Serviço de Host do pcAnywhere (awhost32) - Symantec Corporation - C:\Arquivos de programas\Symantec\pcAnywhere\awhost32.exe

O23 - Service: Serviço do Bonjour (Bonjour Service) - Apple Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Arquivos de programas\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Arquivos de programas\LogMeIn\x86\LogMeIn.exe

O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Arquivos de programas\PDF Complete\pdfsvc.exe

O23 - Service: ServiceLayer - Nokia - C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe

 

--

End of file - 11677 bytes

 

A máquina está travando muito e o gerenciador de tarefas estava bloqueado, consegui desbloquear pelo regedit mas gostaria de saber se tem algum outro problema.

 

Grato,

 

Fábio Mesquita

[wings 22]

Boa tarde

 

 

1.

*Baixe o HostsXpert e salve-o no desktop

*Extraia para o desktop e execute-o.

*Clique em > [Restore Microsoft's Hosts File]

 

2.

*Baixe o MalwareBytes Anti-malware e salve-o no desktop

*Instale o programa

*Se alguma atualização existir,o download será automático. Aguarde...

*O programa será aberto automaticamente.

*Na aba [Verificação], selecione a opção [Verificação completa]

*Clique em [Verificar] e selecione as partições a serem examinadas (geralmente C:\ e D:\)

*Ao término do scan, poderá ser interrogado se deseja remover objetos da memória. Clique [sIM] > [OK] > [Mostrar Resultados]

*Clique em [Remover Selecionados]

*Um relatório (mbam-log-ano-mês-data.txt) será apresentado.

*Cole-o na sua próxima resposta

[Fábio Mesquita 0]

Wings,

 

Segue o log.

 

Grato!

 

 

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

 

Versão da Base de Dados: 4261

 

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

 

30/6/2010 16:31:50

mbam-log-2010-06-30 (16-31-50).txt

 

Tipo de Verificação: Verificação Completa (C:\|)

Objetos escaneados: 340722

Tempo decorrido: 1 hora(s), 43 minuto(s), 15 segundo(s)

 

Processos de Memória Infectados: 0

Módulos de Memória Infectados: 0

Chaves de Registro Infectadas: 2

Valores de Registro Infectados: 0

Itens de Dados no Registro Infectados: 1

Pastas Infectadas: 1

Arquivos Infectados: 5

 

Processos de Memória Infectados:

(Não foram detectados ítens maliciosos)

 

Módulos de Memória Infectados:

(Não foram detectados ítens maliciosos)

 

Chaves de Registro Infectadas:

HKEY_CLASSES_ROOT\center.centerplus (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty (Worm.Autorun) -> Quarantined and deleted successfully.

 

Valores de Registro Infectados:

(Não foram detectados ítens maliciosos)

 

Itens de Dados no Registro Infectados:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn (Hijack.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

 

Pastas Infectadas:

C:\Arquivos de programas\RelevantKnowledge (Spyware.MarketScore) -> Quarantined and deleted successfully.

 

Arquivos Infectados:

C:\Arquivos de programas\RelevantKnowledge\rlservice.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

C:\Arquivos de programas\SoftwareClub.ws\SC Audio CD creator\rkverify.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

C:\Documents and Settings\wanderley\Configurações locais\Temporary Internet Files\Content.IE5\PXFT0N6N\foto1[1].jpg (Extension.Mismatch) -> Quarantined and deleted successfully.

C:\WINDOWS\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\startt.job (Trojan.Banker) -> Quarantined and deleted successfully.

[wings 22]

*Baixe o DDS e salve-o no desktop

*Desative temporariamente seu antivírus

*Duplo clique em dds e aguarde. Salve os relatórios no desktop

*Cole o relatório criado em DDS.txt

[Fábio Mesquita 0]

Segue o log:

 

 

 

DDS (Ver_10-03-17.01) - NTFSx86

Run by wanderley at 16:53:38,69 on qua 30/06/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.1983.1016 [GMT -3:00]

 

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

 

============== Running Processes ===============

 

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Arquivos de programas\Symantec\pcAnywhere\awhost32.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\Arquivos de programas\LogMeIn\x86\RaMaint.exe

C:\Arquivos de programas\LogMeIn\x86\LogMeIn.exe

C:\Arquivos de programas\LogMeIn\x86\LMIGuardian.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Arquivos de programas\PDF Complete\pdfsvc.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\Explorer.exe

C:\Arquivos de programas\LogMeIn\x86\LogMeInSystray.exe

C:\Arquivos de programas\Arquivos comuns\Nokia\MPlatform\NokiaMServer.exe

C:\Arquivos de programas\iTunes\iTunesHelper.exe

C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe

C:\Arquivos de programas\Microsoft ActiveSync\wcescomm.exe

C:\Arquivos de programas\LogMeIn\x86\LMIGuardian.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe

C:\Documents and Settings\wanderley\Configurações locais\Dados de aplicativos\Google\Update\1.2.183.29\GoogleCrashHandler.exe

C:\ARQUIV~1\MI3AA1~1\rapimgr.exe

C:\Arquivos de programas\UltraVNC\winvnc.exe

C:\Arquivos de programas\Windows Desktop Search\WindowsSearch.exe

C:\WINDOWS\system32\javaw.exe

C:\Arquivos de programas\iPod\bin\iPodService.exe

C:\Arquivos de programas\Arquivos comuns\Nokia\NoA\nokiaaserver.exe

C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe

C:\Arquivos de programas\PC Connectivity Solution\Transports\NclMSBTSrv.exe

C:\Arquivos de programas\PC Connectivity Solution\Transports\NclUSBSrv.exe

C:\Arquivos de programas\PC Connectivity Solution\Transports\NclRSSrv.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Arquivos de programas\Java\jre6\bin\java.exe

C:\Documents and Settings\wanderley\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\wanderley\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\wanderley\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\wanderley\Meus documentos\Downloads\dds.scr

 

============== Pseudo HJT Report ===============

 

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uDefault_Search_URL = hxxp://www.google.com/ie

uStart Page = hxxp:\\athaserver\workforce

uDefault_Page_URL = hxxp:\\athaserver\workforce

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = 192.168.1.1:4480

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: Barra de Ferramentas do Yahoo! com bloqueador de pop-up: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

mWinlogon: Shell=Explorer.exe

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\arquivos de programas\arquivos comuns\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\arquivos de programas\skype\toolbars\internet explorer\SkypeIEPlugin.dll

BHO: {47D16415-6DDB-444A-811A-AE0A5F03BC2D}811A-AE0A5F03BC2D} - No File

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\arquivos de programas\microsoft office\office12\GrooveShellExtensions.dll

BHO: GbIehObj Class: {c41a1c0e-ea6c-11d4-b1b8-444553540000} - c:\arquivos de programas\gbplugin\gbieh.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\arquivos de programas\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\arquivos de programas\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [H/PC Connection Agent] "c:\arquivos de programas\microsoft activesync\wcescomm.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Google Update] "c:\documents and settings\wanderley\configurações locais\dados de aplicativos\google\update\GoogleUpdate.exe" /c

uRun: [<NO NAME>]

uRun: [NokiaOviSuite2] c:\arquivos de programas\nokia\nokia ovi suite\NokiaOviSuite.exe -tray

mRun: [LogMeIn GUI] "c:\arquivos de programas\logmein\x86\LogMeInSystray.exe"

mRun: [AVP] "c:\arquivos de programas\kaspersky lab\kaspersky anti-virus 6.0 for windows workstations\avp.exe"

mRun: [Adobe Reader Speed Launcher] "c:\arquivos de programas\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\arquivos de programas\arquivos comuns\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\arquivos de programas\quicktime\qttask.exe" -atboottime

mRun: [NokiaMServer] c:\arquivos de programas\arquivos comuns\nokia\mplatform\NokiaMServer /watchfiles startup

mRun: [NokiaMusic FastStart] "c:\arquivos de programas\nokia\ovi player\NokiaOviPlayer.exe" /command:faststart

mRun: [iTunesHelper] "c:\arquivos de programas\itunes\iTunesHelper.exe"

mRun: [GrooveMonitor] "c:\arquivos de programas\microsoft office\office12\GrooveMonitor.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [Picasa Media Detector] c:\arquivos de programas\picasa2\PicasaMediaDetector.exe

dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"

StartupFolder: c:\docume~1\wander~1\menuin~1\progra~1\inicia~1\workfo~1.lnk - c:\windows\system32\javaw.exe

StartupFolder: c:\docume~1\alluse~1\menuin~1\progra~1\inicia~1\ultrav~1.lnk - c:\arquivos de programas\ultravnc\winvnc.exe

StartupFolder: c:\docume~1\alluse~1\menuin~1\progra~1\inicia~1\window~1.lnk - c:\arquivos de programas\windows desktop search\WindowsSearch.exe

uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)

uPolicies-system: Wallpaper = \\athaserver\documentos\desktop.jpg

uPolicies-system: WallpaperStyle = 2

uPolicies-system: DisableTaskMgr =

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\arquivos de programas\messenger\msmsgs.exe

IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\arquivos de programas\kaspersky lab\kaspersky anti-virus 6.0 for windows workstations\SCIEPlgn.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\arquiv~1\micros~2\office12\ONBttnIE.dll

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\arquiv~1\mi3aa1~1\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\arquiv~1\mi3aa1~1\INetRepl.dll

IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\arquivos de programas\skype\toolbars\internet explorer\SkypeIEPlugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\arquiv~1\micros~2\office12\REFIEBAR.DLL

DPF: Microsoft XML Parser for Java

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233596085812

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233596018119

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\arquivos de programas\microsoft office\office12\GrooveSystemServices.dll

Notify: GbPluginBb - c:\arquivos de programas\gbplugin\gbieh.dll

Notify: klogon - c:\windows\system32\klogon.dll

Notify: LMIinit - LMIinit.dll

Notify: PCANotify - PCANotify.dll

AppInit_DLLs: c:\arquiv~1\kasper~1\kasper~1.0fo\adialhk.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: GbPluginObj Class: {e37cb5f0-51f5-4395-a808-5fa49e399f83} - c:\arquivos de programas\gbplugin\gbieh.dll

SEH: {57B86673-276A-48B2-BAE7-C6DBB3020EB8} - No File

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\arquivos de programas\microsoft office\office12\GrooveShellExtensions.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\arquivos de programas\windows desktop search\MSNLNamespaceMgr.dll

 

============= SERVICES / DRIVERS ===============

 

R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [2009-2-4 45472]

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2007-7-18 112144]

R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-10-23 16984]

R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-4-21 10901]

R1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-11-9 201504]

R2 awhost32;Serviço de Host do pcAnywhere;c:\arquivos de programas\symantec\pcanywhere\awhost32.exe [2003-10-31 106496]

R2 GbpSv;Gbp Service;c:\arquiv~1\gbplugin\GbpSv.exe [2007-12-28 55072]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\arquivos de programas\logmein\x86\rainfo.sys [2008-7-24 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-2-13 47640]

R2 pdfcDispatcher;PDF Document Manager;c:\arquivos de programas\pdf complete\pdfsvc.exe [2008-7-7 777240]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-5-30 24344]

S2 AVP;Kaspersky Anti-Virus 6.0;c:\arquivos de programas\kaspersky lab\kaspersky anti-virus 6.0 for windows workstations\avp.exe [2007-11-19 231952]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

 

=============== Created Last 30 ================

 

2010-06-30 17:11:37 0 d-----w- c:\docume~1\wander~1\dadosd~1\Malwarebytes

2010-06-30 17:11:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-30 17:11:26 0 d-----w- c:\docume~1\alluse~1\dadosd~1\Malwarebytes

2010-06-30 17:11:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-30 17:11:25 0 d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware

2010-06-23 13:50:07 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-06-22 18:55:49 286720 ----a-w- c:\windows\akct1163.dll

2010-06-22 14:49:18 0 d-----w- c:\arquivos de programas\iPod

2010-06-22 14:29:36 0 d-----w- c:\arquivos de programas\Bonjour

2010-06-21 12:52:29 0 d-----w- c:\docume~1\alluse~1\dadosd~1\OviInstallerCache

 

==================== Find3M ====================

 

2010-06-30 19:48:21 93087264 --sha-w- c:\windows\system32\drivers\fidbox.dat

2010-06-30 19:41:19 2593312 --sha-w- c:\windows\system32\drivers\fidbox2.dat

2010-06-30 19:35:47 246236 --sha-w- c:\windows\system32\drivers\fidbox2.idx

2010-06-30 19:35:47 1253804 --sha-w- c:\windows\system32\drivers\fidbox.idx

2010-06-10 11:49:30 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2010-06-10 11:49:20 29568 ----a-w- c:\windows\system32\LMIport.dll

2010-06-10 11:49:17 87424 ----a-w- c:\windows\system32\LMIinit.dll

2010-05-26 13:48:08 45472 ----a-w- c:\windows\system32\drivers\gbpkm.sys

2010-05-18 19:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-05-18 19:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-05-17 17:16:11 83370 ----a-w- c:\windows\system32\perfc016.dat

2010-05-17 17:16:11 479348 ----a-w- c:\windows\system32\perfh016.dat

2010-05-17 17:06:30 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf

2010-05-17 17:06:22 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf

2010-05-17 17:04:49 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01009.Wdf

2010-05-17 17:04:31 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf

2010-05-05 15:02:24 97549 ----a-w- c:\windows\system32\drivers\klick.dat

2010-05-05 15:02:24 113933 ----a-w- c:\windows\system32\drivers\klin.dat

2010-04-19 23:47:44 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll

2010-04-12 20:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll

2009-05-13 20:57:52 16384 --sha-w- c:\windows\system32\config\systemprofile\configurações locais\histórico\history.ie5\index.dat

2009-05-13 20:57:52 32768 --sha-w- c:\windows\system32\config\systemprofile\configurações locais\temporary internet files\content.ie5\index.dat

2009-05-13 20:57:52 16384 --sha-w- c:\windows\system32\config\systemprofile\cookies\index.dat

2008-02-23 14:47:08 16384 -csha-w- c:\windows\temp\cookies\index.dat

2008-02-23 14:47:08 16384 -csha-w- c:\windows\temp\history\history.ie5\index.dat

2008-02-23 14:47:08 49152 -csha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

 

============= FINISH: 16:54:10,64 ===============

[wings 22]

*Envie o arquivo abaixo para análise em http://www.virustotal.com.br

 

c:\windows\akct1163.dll

*Cole o link do resultado.

[Fábio Mesquita 0]

http://www.virustotal.com/pt/analisis/f1dfecb8359459579506a5f43f1a03775e578c357ef1b372562cf20ed041149c-1277291767

[wings 22]

*Baixe o SystemLooke salve-o no desktop

*Duplo clique em SystemLook.exe

*Cole o código abaixo no espaço em branco:

 

:file

c:\windows\akct1163.dll

*Clique em [Look]

*Cole o relatório apresentado em SystemLook.txt localizado no desktop

[Fábio Mesquita 0]

Segue:

 

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 17:28 on 30/06/2010 by wanderley (Administrator - Elevation successful)

 

========== file ==========

 

c:\windows\akct1163.dll - File found and opened.

MD5: 3B3BF7AA5CED1E46C4A1577977CABC2D

Created at 18:55 on 22/06/2010

Modified at 18:55 on 22/06/2010

Size: 286720 bytes

Attributes: --a---

FileVersion: 1.00.2837

ProductVersion: 1.00.2837

OriginalFilename: gran.dll

InternalName: gran

ProductName: BrowserHelper

CompanyName: MAX

 

-=End Of File=-

[wings 22]

Delete o arquivo enviando-o para a lixeira.

 

Reinicie o PC e informe se é solicitada esta dll.

 

Caso nada aconteça, mantenha-a na lixeira caso algum programa solicite-a.

 

Acredito que ela não esteja relacionada a nada. Caso não seja solicitada em nenhum momento, delete-a definitivamente.

 

Delete o SystemLook e seu relatório.

 

*Abra o programa Malwarebytes e na aba [Quarentena], selecione todos os resultados e clique em [Remover tudo]

*Clique na aba [Logs], selecione o relatório e clique em [Remover]

 

Um abraço.

[Fábio Mesquita 0]

Wings, o sistema não permitiu excluir o arquivo, avisa que está sendo usado. Devo entrar no modo de segurança e tentar excluir?

[wings 22]

Olá Fabio....

 

*Baixe o FreeFile e salve-o no desktop

*Extraia o conteúdo para o desktop

*Execute o programa

1) Na primeira lacuna, você deverá clicar em [browse] e localizar o arquivo.

2) Na segunda lacuna surgirá o processo que está bloqueando.

 

Informe a que software ele depende.

[Fábio Mesquita 0]

Wings,

 

Disse que eu não tenho acesso suficiente ao processo (You do not have sufficient access to 1 process).

[wings 22]

Tudo bem...

 

Nenhum antivírus detectou como ameaça. Pode pertencer até a um jogo.

 

O PC está limpo.

 

Um abraço.

[Fábio Mesquita 0]

beleza! Mais uma vez obrigado Wings!

[wings 22]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.